In Rails 4.x the secret_key_base
is used to sign the session cookie and also any other signed cookies created by calling cookies.signed
.
I'd like to update/cycle/roll this secret_key_base
, but without losing access to all of the previously signed cookies (I don't mind losing the sessions). Is it possible to do this?
Ideally I'd like something like:
secret_key_base
.secret_key_base
's alongside each other over a period of time, so that cookies signed using the older key can be re-signed with the newer key.secret_key_base
.I know there was similar functionality for upgrading from using a secret_token
to a secret_key_base
. Is there a way to achieve this using Rails?
You can achieve this by overwriting some of the methods like encrypted
and signed
in the cookies middleware to first try to read the cookies with your old secret_key_base
. if it succeeds then you can upgrade them to new one. Eventually all old cookies will be upgraded to new ones and then you can just remove your custom patches. Take a look at
https://github.com/rails/rails/blob/8350925bec434168f56b4fae22b5298cb4a83c41/actionpack/lib/action_dispatch/middleware/cookies.rb
also checkout how message verifier is working here.
https://github.com/rails/rails/blob/8350925bec434168f56b4fae22b5298cb4a83c41/actionpack/lib/action_dispatch/middleware/cookies.rb#L251
Hope that helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With