You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I'd like the ability to more easily rotate keys by being able to add a list of valid decryption keys.
Describe the solution you'd like
Change New(hashKey, blockKey []byte) to New(hashKey, blockKey []byte, decodeKeys ...[]byte) and add a check that if a cookie cannot be decoded with the hashKey to try with the decode keys until one matches or all fail. This would allow users to have some logic like New(todaysKey(), nil, tomorrowsKey(), yesterdaysKey()) and rotate keys automatically even in a distributed environment. It would also preserve backwards compatibility with New(hashKey, nil).
Describe alternatives you've considered
There's the obvious, just don't rotate the keys. Or coordinate a failover mechanism by chaining decodes using multiple secure cookies. This seems like a more straightforward approach however.
The text was updated successfully, but these errors were encountered:
Alternative solution: adding methods such as RotateHashIn(hashKey []byte)/RotateHashOut(hashKey []byte)/RotateBlockIn(blockKey []byte)/RotateBlockOut(blockKey []byte)
'In' methods to move a new key into the hashKey/blockKey variable and move the old key into a hash/block slice for decoding. 'Out' methods to remove a key from the slice.
tflyons
changed the title
Add an option to decode against multiple keys [feature]
Document using multiple codecs in the readme
Oct 6, 2019
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: