diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2013-04-01 08:10:34 -0700 |
|---|---|---|
| committer | Santiago Pastorino <santiago@wyeworks.com> | 2013-04-01 08:10:34 -0700 |
| commit | f9d23b3848ab81cfb5207e14ccabca3d2e9b3182 (patch) | |
| tree | 2e9fc6a19600f754750ad5b7a8cf29add02ca0ae /guides/source | |
| parent | 40f9ca971a4be5b22c643c4db30ec0cdaeff6a59 (diff) | |
| parent | 274a3aa64cb903c52a41d1767cac0bc3eae44172 (diff) | |
| download | rails-f9d23b3848ab81cfb5207e14ccabca3d2e9b3182.tar.gz rails-f9d23b3848ab81cfb5207e14ccabca3d2e9b3182.tar.bz2 rails-f9d23b3848ab81cfb5207e14ccabca3d2e9b3182.zip | |
Merge pull request #9978 from trevorturk/cookie-store-auto-upgrade
Cookie-base session store auto-upgrade
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index a2ba5dd062..83134fcf87 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -92,17 +92,20 @@ Rails 4.0 extracted Active Resource to its own gem. If you still need the featur Please note that you should wait to set `secret_key_base` until you have 100% of your userbase on Rails 4.x and are reasonably sure you will not need to rollback to Rails 3.x. This is because cookies signed based on the new `secret_key_base` in Rails 4.x are not backwards compatible with Rails 3.x. You are free to leave your existing `secret_token` in place, not set the new `secret_key_base`, and ignore the deprecation warnings until you are reasonably sure that your upgrade is otherwise complete. -* Rails 4.0 introduces a new `UpgradeSignatureToEncryptionCookieStore` cookie store. This is useful for upgrading apps using the old default `CookieStore` to the new default `EncryptedCookieStore` which leverages the new `ActiveSupport::KeyGenerator`. To use this transitional cookie store, you'll want to leave your existing `secret_token` in place, add a new `secret_key_base`, and change your `session_store` like so: +If you are relying on the ability for external applications or Javascript to be able to read your Rails app's signed session cookies (or signed cookies in general) you should not set `secret_key_base` until you have decoupled these concerns. -```ruby - # config/initializers/session_store.rb - Myapp::Application.config.session_store :upgrade_signature_to_encryption_cookie_store, key: 'existing session key' +* Rails 4.0 encrypts the contents of cookie-based sessions if `secret_key_base` has been set. Rails 3.x signed, but did not encrypt, the contents of cookie-based session. Signed cookies are "secure" in that they are verified to have been generated by your app and are tamper-proof. However, the contents can be viewed by end users, and encrypting the contents eliminates this caveat/concern. + +As described above, existing signed cookies generated with Rails 3.x will be transparently upgraded if you leave your existing `secret_token` in place and add the new `secret_key_base`. +```ruby # config/initializers/secret_token.rb Myapp::Application.config.secret_token = 'existing secret token' Myapp::Application.config.secret_key_base = 'new secret key base' ``` +The same caveats apply here, too. You should wait to set `secret_key_base` until you have 100% of your userbase on Rails 4.x and are reasonably sure you will not need to rollback to Rails 3.x. You should also take care to make sure you are not relying on the ability to decode signed cookies generated by your app in external applications or Javascript before upgrading. + * Rails 4.0 removed the `ActionController::Base.asset_path` option. Use the assets pipeline feature. * Rails 4.0 has deprecated `ActionController::Base.page_cache_extension` option. Use `ActionController::Base.default_static_extension` instead. |