Use authenticated cookie options to disable embedding of the expiry information in the cookies #32141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
eugeneius
reviewed
Mar 1, 2018
| # Embeds the experity of a cookie inside its value. | ||
| # This makes the cookie value incompatible with Rails < 5.2 so set to false if your | ||
| # cookie needs to be read by a Rails < 5.2 application. | ||
| # Rails.application.config.action_dispatch.embed_expirity_in_the_cookie_value = true |
There was a problem hiding this comment.
I don't think expirity is a real word 😬
Maybe use_embedded_cookie_expiration?
There was a problem hiding this comment.
I'd go with embed_expiry_in_signed_and_encrypted_cookies. Or use_authenticated_encryption_and_embed_expiry_for_cookies if we're unifying with use_authenticated_cookie_encryption.
kaspth
reviewed
Mar 1, 2018
|
|
||
| To improve security, Rails now embeds the expirity information also in encrypted or signed cookies value. | ||
|
|
||
| This new embded informaiton make those cookies incompatible with versions of Rails older than 5.2. |
| This new embded informaiton make those cookies incompatible with versions of Rails older than 5.2. | ||
|
|
||
| If you require your cookies to be read by 5.1 and older, set | ||
| `Rails.application.config.action_dispatch.embed_expirity_in_the_cookie_value` to `false`. |
There was a problem hiding this comment.
Might want to suggest that it's useful for when you're validating your 5.2 deploy and allows you to rollback.
| @@ -14,6 +14,11 @@ | |||
| # Existing cookies will be converted on read then written with the new scheme. | |||
| # Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true | |||
There was a problem hiding this comment.
While we're here we may as well say that this also breaks cookie backwards compatibility with 5.1.
We could also consider unifying the 2 options into one. Or just read use_authenticated_cookie_encryption as embed the expiry.
There was a problem hiding this comment.
Yeah. I'll use use_authenticated_cookie_encryption for both configs.
| @@ -14,6 +14,11 @@ | |||
| # Existing cookies will be converted on read then written with the new scheme. | |||
| # Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true | |||
|
|
|||
| # Embeds the experity of a cookie inside its value. | |||
| # This makes the cookie value incompatible with Rails < 5.2 so set to false if your | |||
| # cookie needs to be read by a Rails < 5.2 application. | |||
There was a problem hiding this comment.
I'd say:
# Embed cookie expiry in signed or encrypted cookies for increased security.
# This option is not backwards compatible with earlier Rails versions.
# It's best enabled when your entire app is migrated and stable on 5.2.| # Embeds the experity of a cookie inside its value. | ||
| # This makes the cookie value incompatible with Rails < 5.2 so set to false if your | ||
| # cookie needs to be read by a Rails < 5.2 application. | ||
| # Rails.application.config.action_dispatch.embed_expirity_in_the_cookie_value = true |
There was a problem hiding this comment.
I'd go with embed_expiry_in_signed_and_encrypted_cookies. Or use_authenticated_encryption_and_embed_expiry_for_cookies if we're unifying with use_authenticated_cookie_encryption.
| @@ -22,6 +22,7 @@ class Railtie < Rails::Railtie # :nodoc: | |||
| config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie" | |||
| config.action_dispatch.use_authenticated_cookie_encryption = false | |||
| config.action_dispatch.perform_deep_munge = true | |||
| config.action_dispatch.embed_expirity_in_the_cookie_value = true | |||
There was a problem hiding this comment.
Shouldn't this be set to true in load_defaults instead? Otherwise upgrading apps will still break because of the commented out value in new_framework_defaults.
rafaelfranca
force-pushed
the
rm-configure-embedded-expirity
branch
from
02f0e76
to
aba8fc8
Compare
rafaelfranca
changed the title
kaspth
approved these changes
Mar 6, 2018
guides/source/configuring.md
Outdated
| @@ -502,6 +502,10 @@ Defaults to `'signed cookie'`. | |||
| * `config.action_dispatch.cookies_rotations` allows rotating | |||
| secrets, ciphers, and digests for encrypted and signed cookies. | |||
|
|
|||
| * `config.action_dispatch.use_authenticated_cookie_encryption` controls encrypted cookies to use AES-256-GC | |||
| authenticated encryption and if signed and excrypted cookies are going to embed the expirition information | |||
| @@ -76,6 +76,17 @@ Rails 5.2 adds bootsnap gem in the [newly generated app's Gemfile](https://githu | |||
| The `app:update` task sets it up in `boot.rb`. If you want to use it, then add it in the Gemfile, | |||
| otherwise change the `boot.rb` to not use bootsnap. | |||
|
|
|||
| ### Expirity is now embedded in the cookies values | |||
There was a problem hiding this comment.
Expiry … in signed or encrypted cookies. It's only those cookies that get it embedded.
| # Existing cookies will be converted on read then written with the new scheme. | ||
| # Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true | ||
|
|
||
| # Rails.application.config.action_dispatch.embed_expirity_in_the_cookie_value = true |
There was a problem hiding this comment.
This comment line isn't needed.
|
|
||
| To improve security, Rails now embeds the expirity information also in encrypted or signed cookies value. | ||
|
|
||
| This new embded information make those cookies incompatible with versions of Rails older than 5.2. |
| @@ -76,6 +76,17 @@ Rails 5.2 adds bootsnap gem in the [newly generated app's Gemfile](https://githu | |||
| The `app:update` task sets it up in `boot.rb`. If you want to use it, then add it in the Gemfile, | |||
| otherwise change the `boot.rb` to not use bootsnap. | |||
|
|
|||
| ### Expirity is now embedded in the cookies values | |||
|
|
|||
| To improve security, Rails now embeds the expirity information also in encrypted or signed cookies value. | |||
|
|
||
| This new embded information make those cookies incompatible with versions of Rails older than 5.2. | ||
|
|
||
| If you require your cookies to be read by 5.1 and older, or you are still validating your 5.2 deploy and wants |
…on in the cookies We were generating the cookie value with the expiry information embedded what makes the value impossible to be read by a Rails 5.1 application. This option is only useful if you need to share your cookies between a Rails 5.1 and a Rails 5.2 application, or if you are still validating the deploy and wants to eventually rollback.
rafaelfranca
force-pushed
the
rm-configure-embedded-expirity
branch
from
aba8fc8
to
b25fcbc
Compare
rafaelfranca
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We were generating the cookie value with the expiration embedded what makes the value impossible to be read by a Rails 5.1 application.
This option is only useful if you need to share your cookies between a Rails 5.1 and a Rails 5.2 application, or if you are still validating the deploy and wants to eventually rollback.