mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #36245 from vishaltelangre/patch-4
[ci skip] Clarity about embed metadata in signed and encrypted cookie
This commit is contained in:
commit
1efe902f33
2 changed files with 5 additions and 4 deletions
|
@ -245,7 +245,7 @@ Please refer to the [Changelog][action-pack] for detailed changes.
|
||||||
* Expose `ActionController::Parameters#each_key`.
|
* Expose `ActionController::Parameters#each_key`.
|
||||||
([Pull Request](https://github.com/rails/rails/pull/33758))
|
([Pull Request](https://github.com/rails/rails/pull/33758))
|
||||||
|
|
||||||
* Add purpose metadata to signed/encrypted cookies to prevent copying the value of
|
* Add purpose and expiry metadata inside signed/encrypted cookies to prevent copying the value of
|
||||||
cookies into one another.
|
cookies into one another.
|
||||||
([Pull Request](https://github.com/rails/rails/pull/32937))
|
([Pull Request](https://github.com/rails/rails/pull/32937))
|
||||||
|
|
||||||
|
|
|
@ -85,13 +85,14 @@ Rails 6.1. You are encouraged to enable `config.force_ssl` to enforce HTTPS
|
||||||
connections throughout your application. If you need to exempt certain endpoints
|
connections throughout your application. If you need to exempt certain endpoints
|
||||||
from redirection, you can use `config.ssl_options` to configure that behavior.
|
from redirection, you can use `config.ssl_options` to configure that behavior.
|
||||||
|
|
||||||
### Purpose in signed or encrypted cookie is now embedded within cookies
|
### Purpose and expiry metadata is now embedded inside signed and encrypted cookies for increased security
|
||||||
|
|
||||||
|
To improve security, Rails embeds the purpose and expiry metadata inside encrypted or signed cookies value.
|
||||||
|
|
||||||
To improve security, Rails embeds the purpose information in encrypted or signed cookies value.
|
|
||||||
Rails can then thwart attacks that attempt to copy the signed/encrypted value
|
Rails can then thwart attacks that attempt to copy the signed/encrypted value
|
||||||
of a cookie and use it as the value of another cookie.
|
of a cookie and use it as the value of another cookie.
|
||||||
|
|
||||||
This new embed information make those cookies incompatible with versions of Rails older than 6.0.
|
This new embed metadata make those cookies incompatible with versions of Rails older than 6.0.
|
||||||
|
|
||||||
If you require your cookies to be read by Rails 5.2 and older, or you are still validating your 6.0 deploy and want
|
If you require your cookies to be read by Rails 5.2 and older, or you are still validating your 6.0 deploy and want
|
||||||
to be able to rollback set
|
to be able to rollback set
|
||||||
|
|
Loading…
Reference in a new issue