The UpgradeSignatureToEncryptionCookieStore feature added by @spastorino in 8eefdb6 is great, but it only covers sessions using CookieStore, not cookies in general.
When upgrading an app from 3.x to 4.0, all cookies are invalidated if you set secret_key_base as recommended by the deprecation warnings from (https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L138) and the upgrade guide (https://github.com/rails/rails/blob/master/guides/source/upgrading_ruby_on_rails.md#action-pack).
I made an example app to demonstrate the issue here: https://github.com/trevorturk/rails-cookie-issue
This isn't really a bug -- more of a feature request. I think it's an important one, though.
Should we start by adding a caveat into the upgrade guide explaining the situation?
In terms of adding the feature, I think we'd need a new cookie jar that would operate a bit like UpgradeSignatureToEncryptionCookieStore and a way for your app to opt into that cookie jar.
Thoughts? /cc @dhh, @jeremy, @spastorino
@trevorturk please do and ping me to merge
This is the first time I looked at cookie code so may be I missed something. Here is my fix.
Here is the forked app with the fix .
Thanks so much, @neerajdotname! This is a great start. I'm working something up that goes a bit farther, and I'll post back here when I wrap it up -- hopefully in the next day or two.
Hey all -- I created a pull request for this issue in #9909. Please let me know what you think! I'll leave this issue open for now as I see it's associated with the 4.0.0 milestone.
(Put #9909 on 4.0.0 milestone)