Suppose we want to change our Rails app's secret_key_base. Is there a way to do so that doesn't immediately log out all our users?
When upgrading from Rails 3.2 to 4, with the corresponding change from secret_token to secret_key_base, rails helped with the migration by updating new users' cookies as they came to the site. Once a good portion of users had visited, you could switch to secret_key_base exclusively without logging them out.
Is this sort of functionality available to change the secret_key_base generally, say if a developer leaves or something like that? The idea would be to set a new secret_key_base that will switch over users' cookies as they come to the site. Once a good proportion have visited, you can make the hard switch and remove the old secret_key_base.
I found an old rails pull request that seems to start on this functionality, but they appear to have stopped working on it.
In order to make this work you should customize rails itself versioning it. I don't think this answer would be the choosen but I would like to warn you about how deep this changes can be and the lack of security that you'll bring to your app.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With