Merge pull request #30847 from mikeycgto/signed-cookie-rotation-updates

Update security guide for signed cookie rotations
author: Rafael França <rafaelmfranca@gmail.com> 2017-10-10 10:13:57 -0400
committer: GitHub <noreply@github.com> 2017-10-10 10:13:57 -0400
commit: 86d1231302f9d993464f0156edc74eb92b517891 (patch)
tree: 36ddc8789347674dc4adf940583862b654723d4e /guides
parent: ac1ee519fa513f1c2188180e8830938c71edb48c (diff)
parent: 04a7b7165ad204014c5850f62c921f7291d6ba5d (diff)
download: rails-86d1231302f9d993464f0156edc74eb92b517891.tar.gz
rails-86d1231302f9d993464f0156edc74eb92b517891.tar.bz2
rails-86d1231302f9d993464f0156edc74eb92b517891.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index bf9af88c5d..cfa777d433 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -169,11 +169,12 @@ you would first assign the new configuration value:
 Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256"
 ```
 
-Then you'd set up a rotation with the old configuration to keep it alive.
+Now add a rotation for the old SHA1 digest so existing cookies are
+seamlessly upgraded to the new SHA256 digest.
 
 ```ruby
 Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
-  cookies.rotate :signed, digest: "SHA256"
+  cookies.rotate :signed, digest: "SHA1"
 end
 ```
author	Rafael França <rafaelmfranca@gmail.com>	2017-10-10 10:13:57 -0400
committer	GitHub <noreply@github.com>	2017-10-10 10:13:57 -0400
commit	86d1231302f9d993464f0156edc74eb92b517891 (patch)
tree	36ddc8789347674dc4adf940583862b654723d4e /guides
parent	ac1ee519fa513f1c2188180e8830938c71edb48c (diff)
parent	04a7b7165ad204014c5850f62c921f7291d6ba5d (diff)
download	rails-86d1231302f9d993464f0156edc74eb92b517891.tar.gz rails-86d1231302f9d993464f0156edc74eb92b517891.tar.bz2 rails-86d1231302f9d993464f0156edc74eb92b517891.zip