New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default KeyGenerator digest to SHA1 to fix cookies in rolling upgrades #26023
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The way I understood this
hash_digest_class
argument is that it was essentially specifiying which algorithm the incoming cookies had been created with, which in our case for existing non-updated-to-rails-7 instances is SHA1 -- and it seems like this change would tell the rotator that the incoming cookies to be rotated were created with SHA256? Or do I misunderstand this setting?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are not misunderstanding, it tells Rails how to read existing cookies that use SHA256.
This is so the version with this PR can coexist with an upcoming that switches to outputting SHA256.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, so is the rotator behavior then to just silently do nothing when it gets cookies created with any other digest than what is specified? I guess it would have to be, because once you rotate you don't want to keep rotating.
So in that case, just to think out loud a bit...
Digest::SHA1
class and not accepting rails 7 defaults; and the cookie rotator will just do nothing for now since there won't be any inbound SHA256-created cookies coming in.Then on a subsequent release, if we flip off the digest_class setting (and thus the Rails 7 default of SHA256 takes effect), and also flip the rotator to look to rotate SHA1-created cookies, then during the rolling deploy:
Is that roughly accurate and more in line with the intentions here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, cool - I think that works.
Not sure how to test this ... ideally you could create like a 2-server mini cluster just running locally and have an http server flip inbound requests back and forth between them, and then just make a bunch of requests and watch that the format gets adjusted back and forth all while preserving session.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested by reverting the Rails 7 update and it seems to work!