-
-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: expand key rotation example for future #474
Conversation
Someone is attempting to deploy a commit to a Personal Account owned by @vvo on Vercel. @vvo first needs to authorize it. |
Co-authored-by: Vincent Voyer <vincent@codeagain.com>
It does look right yes on the explanation. I am not even using rotation on my side (BOOO!). The rotation strategy can also be simplified to:
day 0:
day 7:
day 14:
day 21:
What do you think? |
Does a 2 week session mean that you get logged out and see a login screen every 2 weeks, or that you need to access the site at least every two weeks to remain logged in and never see a login screen? |
You need to access the site and do an action that itself will resolve to a session.save(). There's no automatic session refresh for reads only. |
While I agree that your approach sounds feasible, it also looks like something you could easily mess up by accident if you were doing it regularly and had a lot of passwords over time.. |
Hey @vvo, Because I've been testing the password rotation functionality, and I completely agree with your example, but it doesn't seem to work that way. What I've found is that the password number can't change or the unseal fails. e.g., this unit test passes
but this one fails
Note the subtle difference being the definition of "secondPassword" where the IDs are in the reverse order. When the password used to encrypt is moved to "2", the unseal fails. |
FWIW I would like to try the approach proposed by @vvo, so I'm also interested in seeing if it works as hoped |
Just wanted to see what is the current status progress for this PR? Sorry for sounding naive, but by any chance we have password rotation at |
Closing as the READMEs have changed a lot, if you want to add more details on how password rotation can be used in iron-session feel free to open a new PR |
I'm guessing/hoping that this is how it works, but I figured it was as much effort to prepare a docs PR in case it is than to ask the question. Does this look right??