Is there a way to gracefully change the rails secret_key_base?

Question

Suppose we want to change our Rails app's secret_key_base. Is there a way to do so that doesn't immediately log out all our users?

When upgrading from Rails 3.2 to 4, with the corresponding change from secret_token to secret_key_base, rails helped with the migration by updating new users' cookies as they came to the site. Once a good portion of users had visited, you could switch to secret_key_base exclusively without logging them out.

Is this sort of functionality available to change the secret_key_base generally, say if a developer leaves or something like that? The idea would be to set a new secret_key_base that will switch over users' cookies as they come to the site. Once a good proportion have visited, you can make the hard switch and remove the old secret_key_base.

I found an old rails pull request that seems to start on this functionality, but they appear to have stopped working on it.

Answer 1

In order to make this work you should customize rails itself versioning it. I don't think this answer would be the choosen but I would like to warn you about how deep this changes can be and the lack of security that you'll bring to your app.