Use SHA256 to encrypt messages and cookies
Note that enabling this options means all encrypted messages and cookies generated the application become invalid, so we're adding a cookie rotator in order to keep sessions from expiring when upgrading the application, as recommended in the "Upgrading Ruby on Rails" guideline [1]. Since we haven't seen any Consul Democracy applications using encrypted messages and these messages become invalid with this change, we're also removing the pre-Rails 5.2 encryption to authenticate messages (AES-256-CBC) and switching to the default one since Rails 5.2 (AES-256-GCM). Since the configured encryption is used by the cookie rotator initializer (through the ActiveSupport::MessageEncryptor.key_len method), at first I thought this might affect the cookie rotator, but it doesn't: upgrading works as expected, and existing sessions are still active. I'm adding a comment to remove the initializer once all cookies have been migrated. I've added "Rails 7.1" in the comment because we usually check for these comments when upgrading Rails, but we rarely check for them when after releasing new versions of Consul Democracy. [1] https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256
This commit is contained in:
Javi Martín
@@ -163,6 +163,7 @@ Layout/LineLength:
|
||||
- "config/environments/staging.rb"
|
||||
- "config/initializers/devise.rb"
|
||||
- "config/initializers/backtrace_silencers.rb"
|
||||
- "config/initializers/cookie_rotator.rb"
|
||||
- "db/migrate/*create_delayed_jobs.rb"
|
||||
- "db/migrate/*create_active_storage_variant_records.active_storage.rb"
|
||||
- "app/models/budget/stats.rb"
|
||||
|
||||
Reference in New Issue
Block a user