#35400: SECRET_KEY_FALLBACKS documentation can be misleading when running a multiple instances of an application -------------------------------------+------------------------------------- Reporter: Ryan | Owner: nobody Siemens | Type: | Status: new Cleanup/optimization | Component: | Version: 5.0 Documentation | Keywords: Severity: Normal | SECRET_KEY_FALLBACKS Triage Stage: | Has patch: 0 Unreviewed | Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 1 UI/UX: 0 | -------------------------------------+------------------------------------- Hi, I was looking at the documentation for [https://docs.djangoproject.com/en/dev/ref/settings/#secret-key-fallbacks SECRET_KEY_FALLBACKS] and I think the documentations advice for how to rotate keys is a little to simplistic and will lead to unexpected issues with any modestly larger application that runs on multiple boxes (or pods).
"In order to rotate your secret keys, set a new SECRET_KEY and move the previous value to the beginning of SECRET_KEY_FALLBACKS." Just following this advice can lead to a scenario where your request is routed to a rotated box that has the new `SECRET_KEY` set, signs the session successfully and returns. A subsequent request could route to an un-rotated box which hasn't received the `SECRET_KEY` update and fails to validate the session. This diagram aims to illustrate the problem [[Image(https://cdn.zappy.app/f223668c63259e3316cfe0afb6bc97c3.png)]]. I believe the way to handle this situation is to have a two phase rollout where: - Phase 1: **don't** update `SECRET_KEY`, but update `SECRET_KEY_FALLBACKS` to `['old_key', 'new_key']` and let all boxes sync. Everything is still being signed/validated with the current, unchanged `SECRET_KEY`. - Phase 2: update `SECRET_KEY='new_key'` and `SECRET_KEY_FALLBACKS=['old_key']`. Now boxes that aren't rotated can validate sessions signed from boxes with the new_key even though they will still sign with the old_key. Things can then proceed as normal where the `old_key` is dropped from `SECRET_KEY_FALLBACKS` after some time. Visually it looks like this [[Image(https://cdn.zappy.app/0edeb791cdc40d9d8e3b7f3918b1b11b.png)]] My request is to update the documentation to ''at least'' indicate that the advice doesn't hold in scenarios where you are running the application across a fleet of boxes. -- Ticket URL: <https://code.djangoproject.com/ticket/35400> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018f0c03522d-f4772a07-22af-4ce3-9b3f-364d39d7b0c0-000000%40eu-central-1.amazonses.com.