diff options
author | Michael Coyne <mikeycgto@gmail.com> | 2017-10-09 21:08:38 -0400 |
---|---|---|
committer | Michael Coyne <mikeycgto@gmail.com> | 2017-10-09 21:15:02 -0400 |
commit | 04a7b7165ad204014c5850f62c921f7291d6ba5d (patch) | |
tree | 36ddc8789347674dc4adf940583862b654723d4e /guides | |
parent | ac1ee519fa513f1c2188180e8830938c71edb48c (diff) | |
download | rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.gz rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.bz2 rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.zip |
Update security guide for signed cookie rotations
The example was slightly incorrect. This commit also adds a test case
for this example to cookies middleware unit tests.
Diffstat (limited to 'guides')
-rw-r--r-- | guides/source/security.md | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index bf9af88c5d..cfa777d433 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -169,11 +169,12 @@ you would first assign the new configuration value: Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256" ``` -Then you'd set up a rotation with the old configuration to keep it alive. +Now add a rotation for the old SHA1 digest so existing cookies are +seamlessly upgraded to the new SHA256 digest. ```ruby Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies| - cookies.rotate :signed, digest: "SHA256" + cookies.rotate :signed, digest: "SHA1" end ``` |