Feature request: rotate cookie store session secret

[erjoalgo]

For security I'd like to rotate the cookie store session to a new secret every few days without the disruption of a restart, and without invalidating existing unexpired sessions using the old secret.

The overlap duration between the old and new secrets would be about the same as the session TTL.

One way to do this would be to allow the client code to add new secrets and remove old ones, and have the middleware to support decrypting sessions with all currently valid secrets.

Another way which I think is simpler and easier to implement, is to allow the user to provide a secret-generating function, and to have the middleware automatically rotate the secrets at the same frequency as the session TTL. This way the middleware wouldn't need to provide a stateful API for adding/deleting secretss, and the user could focus on providing the :secret-generating-fn without having to deal with the rotation logic.

Is this something you would consider adding, or is there a way to do this already that I missed?

[weavejester]

I think this is a little too specialized to add to Ring core. Instead, I'd suggest writing a third-party library to wrap the cookie session store with one that periodically rotates the key.

[erjoalgo]

I'd argue that this is should be enabled by default to improve the security of all ring servers. The current usage makes it difficult to change secrets without disruption/restart, and I'm afraid the easiest thing for most users is to never think about changing secrets.

It's interesting to see what an AI search yields about this topic:

[weavejester]

It's not quite as straightforward. Key rotation isn't transparent to the user, as it limits the maximum time a session can exist without being refreshed. This isn't necessarily a deal breaker, but it is behavior that I think needs to be explicitly chosen given the trade-off.

Second, if you're planning to rotate your session key, then what about your database password, and your API keys? All the reasons for rotating the session key also apply to any other secret your application uses, and you might very well want to organize all your secret rotation in one place.

It might be useful to augment the cookie session store with a number of additional :read-keys that can be tried if the main key doesn't work, as it's useful to support some number of previous keys for reading in order to support a smooth key changeover.

However, I think anything more would be better served via third-party middleware, at least for now.