Skip to content

Instantly share code, notes, and snippets.

@vlj91

vlj91/rails-secret-key-base-rotation.md

Last active October 7, 2022 09:40
Show Gist options
  • Save vlj91/7c0db741e172e2f2f6ad1e2ae7ae8367 to your computer and use it in GitHub Desktop.
Save vlj91/7c0db741e172e2f2f6ad1e2ae7ae8367 to your computer and use it in GitHub Desktop.
Download ZIP
rails secret_key_base rotation
Raw
rails-secret-key-base-rotation.md
  • The CookieStore uses secret_key_base to store session session data
  • Rails 7 introduces a
  • When secret_key_base is rotated, all sessions are expired
  • A rotation initializer can be added, which allows users to visit the site and have their cookies read with the old configuration, then rewritten with the new secret_key_base
  • The rotator can be disabled either after a period of time, or upon audit that no cookies are stored using the previous secret_key_base
  • Multiple rotators can exist at once
  • Rotators can be used for other things, such as changing the digest used to sign cookies (SHA1 -> SHA256)

A simple rotator to move between two secret_key_base values may look like this:

Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
  cookies.rotate :encrypted, secret: Rails.application.credentials.old_secret_key_base
  cookies.rotate :signed, secret: Rails.application.credentials.old_secret_key_base
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment