1 files changed, 5 insertions, 19 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index f594b6f491..b0514a96d8 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -21,14 +21,10 @@ module ActionDispatch
     # knowing your app's secret key, but can easily read their +user_id+. This
     # was the default for Rails 3 apps.
     #
-    # If you have secret_key_base set, your cookies will be encrypted. This
+    # Your cookies will be encrypted using your apps secret_key_base. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # If you have both secret_token and secret_key_base set, your cookies will
-    # be encrypted, and signed cookies generated by Rails 3 will be
-    # transparently read and encrypted to provide a smooth upgrade path.
-    #
     # Configure your session store in <tt>config/initializers/session_store.rb</tt>:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
@@ -40,20 +36,10 @@ module ActionDispatch
     # If your application was not updated to Rails 5.2 defaults, the secret_key_base
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
-    # If you are upgrading an existing Rails 3 app, you should leave your
-    # existing secret_token in place and simply add the new secret_key_base.
-    # Note that you should wait to set secret_key_base until you have 100% of
-    # your userbase on Rails 4 and are reasonably sure you will not need to
-    # rollback to Rails 3. This is because cookies signed based on the new
-    # secret_key_base in Rails 4 are not backwards compatible with Rails 3.
-    # You are free to leave your existing secret_token in place, not set the
-    # new secret_key_base, and ignore the deprecation warnings until you are
-    # reasonably sure that your upgrade is otherwise complete. Additionally,
-    # you should take care to make sure you are not relying on the ability to
-    # decode signed cookies generated by your app in external applications or
-    # JavaScript before upgrading.
-    #
-    # Note that changing the secret key will invalidate all existing sessions!
+    # Note that changing your secret_key_base will invalidate all existing session.
+    # Additionally, you should take care to make sure you are not relying on the
+    # ability to decode signed cookies generated by your app in external
+    # applications or JavaScript before changing it.
     #
     # Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
     # options described there can be used to customize the session cookie that