-
Luca Ongaro authored
* Improve upgrade guide section on cookies rotator The Rails upgrade guide, in the section about upgrading from Rails 6.1 to Rails 7.0, contains some example code defining a cookie rotator for encrypted cookies, as Rails 7 changed the default digest for the key generator from `SHA1` to `SHA256`. The problem is that the provided example code only rotates encrypted cookies, and not signed ones. Rotating signed cookies is also usually necessary for the same reason, and failure to do so results in old cookies not being read. For example, when using the popular Rails authentication framework [Devise](https://github.com/heartcombo/devise) with the `rememberable` strategy, the "remember me" token is saved as a signed cookie, and without defining a rotator all users would be logged out following an upgrade to Rails 7. This change improves the example code in the documentation by also rotating signed cookies. Note that providing an example is important, because rotating the signed cookies involves some technicality that is not obvious to users who are not comfortable with reading the [relevant Rails internal code](https://github.com/rails/rails/blob/649516ce0feb699ae06a8c5e81df75d460cc9a85/actionpack/lib/action_dispatch/middleware/cookies.rb#L615 ) (a different salt is used for signed cookies, and the `key_len` argument is omitted when generating the secret). The improved example code should hopefully save some mistakes for users following the upgrade guide. * Apply suggestions from code review Better naming for the signed cookie salt variable Co-authored-by:
Vipul A M <vipul@hey.com> * Apply suggestions from code review Better naming also for the authenticated encrypted cookie salt variable Co-authored-by:
Luca Ongaro authored* Improve upgrade guide section on cookies rotator The Rails upgrade guide, in the section about upgrading from Rails 6.1 to Rails 7.0, contains some example code defining a cookie rotator for encrypted cookies, as Rails 7 changed the default digest for the key generator from `SHA1` to `SHA256`. The problem is that the provided example code only rotates encrypted cookies, and not signed ones. Rotating signed cookies is also usually necessary for the same reason, and failure to do so results in old cookies not being read. For example, when using the popular Rails authentication framework [Devise](https://github.com/heartcombo/devise) with the `rememberable` strategy, the "remember me" token is saved as a signed cookie, and without defining a rotator all users would be logged out following an upgrade to Rails 7. This change improves the example code in the documentation by also rotating signed cookies. Note that providing an example is important, because rotating the signed cookies involves some technicality that is not obvious to users who are not comfortable with reading the [relevant Rails internal code](https://github.com/rails/rails/blob/649516ce0feb699ae06a8c5e81df75d460cc9a85/actionpack/lib/action_dispatch/middleware/cookies.rb#L615 ) (a different salt is used for signed cookies, and the `key_len` argument is omitted when generating the secret). The improved example code should hopefully save some mistakes for users following the upgrade guide. * Apply suggestions from code review Better naming for the signed cookie salt variable Co-authored-by:
Loading