Skip to content

Rails 4: cookies are invalidated after setting secret_key_base #9740

trevorturk opened this Issue Mar 15, 2013 · 7 comments

5 participants


The UpgradeSignatureToEncryptionCookieStore feature added by @spastorino in 8eefdb6 is great, but it only covers sessions using CookieStore, not cookies in general.

When upgrading an app from 3.x to 4.0, all cookies are invalidated if you set secret_key_base as recommended by the deprecation warnings from ( and the upgrade guide (

I made an example app to demonstrate the issue here:

This isn't really a bug -- more of a feature request. I think it's an important one, though.

Should we start by adding a caveat into the upgrade guide explaining the situation?

In terms of adding the feature, I think we'd need a new cookie jar that would operate a bit like UpgradeSignatureToEncryptionCookieStore and a way for your app to opt into that cookie jar.

Thoughts? /cc @dhh, @jeremy, @spastorino

Ruby on Rails member
dhh commented Mar 15, 2013

Will do!

Ruby on Rails member

@trevorturk :+1: please do and ping me to merge

Ruby on Rails member

This is the first time I looked at cookie code so may be I missed something. Here is my fix.


Here is the forked app with the fix .



Thanks so much, @neerajdotname! This is a great start. I'm working something up that goes a bit farther, and I'll post back here when I wrap it up -- hopefully in the next day or two.


Hey all -- I created a pull request for this issue in #9909. Please let me know what you think! I'll leave this issue open for now as I see it's associated with the 4.0.0 milestone.

Ruby on Rails member
jeremy commented Mar 24, 2013

(Put #9909 on 4.0.0 milestone)

@jeremy jeremy closed this Mar 24, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.