Improve session expiration

[beaugunderson]

Currently a new COOKIE_SECRET is chosen each time the server starts, invalidating all previous sessions. From discussions with @wasade it seems that this invalidation can be a barrier to deployment (it logs everyone out and that's undesirable).

One way to solve this is to move COOKIE_SECRET to the configuration file. This would allow sessions (which are just persisted in secure cookies) to persist across server restarts. The COOKIE_SECRET in the configuration could be changed manually if session invalidation is ever desired.

If this is an acceptable change I'm happy to write a pull request. :)

[wasade]

👍, thanks @beaugunderson!

cc @squirrelo @antgonza @josenavas @ElDeveloper @adamrp, this approach may be of interest on qiita

[ElDeveloper]

Yes, I like this idea a lot!

On (Feb-27-15|15:49), Daniel McDonald wrote:

👍, thanks @beaugunderson!

cc @qiita-dev, this approach may be of interest

---

Reply to this email directly or view it on GitHub:
#391 (comment)

[squirrelo]

I'm cool with it.

[adamrp]

Makes good sense to me. Security wise, what circumstances would warrant a
cookie secret change?
On Feb 27, 2015 5:17 PM, "Joshua Shorenstein" notifications@github.com
wrote:

I'm cool with it.

—
Reply to this email directly or view it on GitHub
#391 (comment)
.

[beaugunderson]

@adamrp If you found a vulnerability that enabled session highjacking that would be an excellent reason to invalidate all existing sessions. :)

[beaugunderson]

OK, a simple pull request for this is at #392.