Just wanted to give you a quick heads up about a security related
deprecation that will affect most secure applications in one way or another.
app->secret('s3cret');
That line should look familiar. So far whenever you wanted to change your
application "secret", you were forced to invalidate all existing signed
cookies (sessions) too, but that's going to change in Mojolicious 4.63.
app->secrets(['s3cret']);
>From now on we will allow multiple "secrets", the first one is used to
generate new signatures, and you can keep old ones around that will only be
used to verify existing signed cookies (sessions).
app->secrets(['m0re s3cret', 's3cret']);
Your users won't notice anything, and after a while you can just remove the
old secret again.
https://github.com/kraih/mojo/compare/20435a301938edd9ae8a706661180146ea1c74aa...5c8b8d546787a08bfab8e31f355e9822a0d612e2
--
sebastian
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mojolicious+unsubscr...@googlegroups.com.
To post to this group, send email to mojolicious@googlegroups.com.
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/groups/opt_out.
