Skip to content

Rails 4: cookies are invalidated after setting secret_key_base #9740

Closed
trevorturk opened this Issue Mar 15, 2013 · 7 comments

5 participants

@trevorturk

The UpgradeSignatureToEncryptionCookieStore feature added by @spastorino in 8eefdb6 is great, but it only covers sessions using CookieStore, not cookies in general.

When upgrading an app from 3.x to 4.0, all cookies are invalidated if you set secret_key_base as recommended by the deprecation warnings from (https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L138) and the upgrade guide (https://github.com/rails/rails/blob/master/guides/source/upgrading_ruby_on_rails.md#action-pack).

I made an example app to demonstrate the issue here: https://github.com/trevorturk/rails-cookie-issue

This isn't really a bug -- more of a feature request. I think it's an important one, though.

Should we start by adding a caveat into the upgrade guide explaining the situation?

In terms of adding the feature, I think we'd need a new cookie jar that would operate a bit like UpgradeSignatureToEncryptionCookieStore and a way for your app to opt into that cookie jar.

Thoughts? /cc @dhh, @jeremy, @spastorino

@dhh
Ruby on Rails member
dhh commented Mar 15, 2013
@trevorturk

Will do!

@spastorino
Ruby on Rails member

@trevorturk :+1: please do and ping me to merge

@neerajdotname
Ruby on Rails member

This is the first time I looked at cookie code so may be I missed something. Here is my fix.

neerajdotname@42f07f7

Here is the forked app with the fix .

neerajdotname/rails-cookie-issue@ea6e5f4

@trevorturk

Thanks so much, @neerajdotname! This is a great start. I'm working something up that goes a bit farther, and I'll post back here when I wrap it up -- hopefully in the next day or two.

@trevorturk

Hey all -- I created a pull request for this issue in #9909. Please let me know what you think! I'll leave this issue open for now as I see it's associated with the 4.0.0 milestone.

@jeremy
Ruby on Rails member
jeremy commented Mar 24, 2013

(Put #9909 on 4.0.0 milestone)

@jeremy jeremy closed this Mar 24, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.