[ci skip] Prefer credentials to secrets in docs.

Removes most mentions of secrets.secret_key_base and explains
credentials instead.

Also removes some very stale upgrade notices about Rails 3/4.

2 files changed, 12 insertions, 28 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index adad743d38..845df500d8 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -89,13 +89,11 @@ module ActionDispatch
   #   cookies[:login] = { value: "XJ-122", expires: Time.utc(2020, 10, 15, 5) }
   #
   #   # Sets a signed cookie, which prevents users from tampering with its value.
-  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
   #   # It can be read using the signed method `cookies.signed[:name]`
   #   cookies.signed[:user_id] = current_user.id
   #
   #   # Sets an encrypted cookie value before sending it to the client which
   #   # prevent users from reading and tampering with its value.
-  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
   #   # It can be read using the encrypted method `cookies.encrypted[:name]`
   #   cookies.encrypted[:discount] = 45
   #
@@ -191,10 +189,10 @@ module ActionDispatch
       # the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
       # cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
       #
-      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
+      # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
+      # This jar requires that you set a suitable secret for the verification on your app's +secret_key_base+.
       #
       # Example:
       #
@@ -214,13 +212,13 @@ module ActionDispatch
       # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
       # If the cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
       #
-      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
+      # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
       # If +config.action_dispatch.encrypted_cookie_salt+ and +config.action_dispatch.encrypted_signed_cookie_salt+
       # are both set, legacy cookies encrypted with HMAC AES-256-CBC will be transparently upgraded.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
+      # This jar requires that you set a suitable secret for the verification on your app's +secret_key_base+.
       #
       # Example:
       #
@@ -591,7 +589,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacySignedCookieJar is used instead of SignedCookieJar if
-    # secrets.secret_token and secrets.secret_key_base are both set. It reads
+    # secrets.secret_token and secret_key_base are both set. It reads
     # legacy cookies signed with the old dummy key generator and signs and
     # re-saves them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacySignedCookieJar < SignedCookieJar #:nodoc:
@@ -605,7 +603,7 @@ module ActionDispatch
         super
 
         if ActiveSupport::LegacyKeyGenerator === key_generator
-          raise "You didn't set secrets.secret_key_base, which is required for this cookie jar. " \
+          raise "You didn't set secret_key_base, which is required for this cookie jar. " \
             "Read the upgrade documentation to learn more about this new config option."
         end
 
@@ -631,7 +629,7 @@ module ActionDispatch
     end
 
     # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
-    # instead of EncryptedCookieJar if secrets.secret_token and secrets.secret_key_base
+    # instead of EncryptedCookieJar if secrets.secret_token and secret_key_base
     # are both set. It reads legacy cookies signed with the old dummy key generator and
     # encrypts and re-saves them using the new key generator to provide a smooth upgrade path.
     class UpgradeLegacyEncryptedCookieJar < EncryptedCookieJar #:nodoc:
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index f594b6f491..b0514a96d8 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -21,14 +21,10 @@ module ActionDispatch
     # knowing your app's secret key, but can easily read their +user_id+. This
     # was the default for Rails 3 apps.
     #
-    # If you have secret_key_base set, your cookies will be encrypted. This
+    # Your cookies will be encrypted using your apps secret_key_base. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # If you have both secret_token and secret_key_base set, your cookies will
-    # be encrypted, and signed cookies generated by Rails 3 will be
-    # transparently read and encrypted to provide a smooth upgrade path.
-    #
     # Configure your session store in <tt>config/initializers/session_store.rb</tt>:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
@@ -40,20 +36,10 @@ module ActionDispatch
     # If your application was not updated to Rails 5.2 defaults, the secret_key_base
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
-    # If you are upgrading an existing Rails 3 app, you should leave your
-    # existing secret_token in place and simply add the new secret_key_base.
-    # Note that you should wait to set secret_key_base until you have 100% of
-    # your userbase on Rails 4 and are reasonably sure you will not need to
-    # rollback to Rails 3. This is because cookies signed based on the new
-    # secret_key_base in Rails 4 are not backwards compatible with Rails 3.
-    # You are free to leave your existing secret_token in place, not set the
-    # new secret_key_base, and ignore the deprecation warnings until you are
-    # reasonably sure that your upgrade is otherwise complete. Additionally,
-    # you should take care to make sure you are not relying on the ability to
-    # decode signed cookies generated by your app in external applications or
-    # JavaScript before upgrading.
-    #
-    # Note that changing the secret key will invalidate all existing sessions!
+    # Note that changing your secret_key_base will invalidate all existing session.
+    # Additionally, you should take care to make sure you are not relying on the
+    # ability to decode signed cookies generated by your app in external
+    # applications or JavaScript before changing it.
     #
     # Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
     # options described there can be used to customize the session cookie that