Hacker News new | ask | show | jobs
by wyldfire 3265 days ago
> Private Cookies #

> To encrypt private cookies, Rocket uses the 256-bit key specified in the secret_key configuration parameter. If one is not specified, Rocket automatically generates a fresh key at launch.

Seems like a pretty clever idea. Do other servers/middlewares offer a similar feature? Seems like it would complicate deployment/scaling a bit if the secret has to be sent to all the nodes. Especially if they could silently ignore it if you accidentally don't configure the key for some nodes.
2 comments
coolsunglasses 3264 days ago
Yesod does this too and it sometimes causes problems you first deploy an app to production.
link
zimbatm 3265 days ago
Rails had encrypted cookies for ages
link
wtetzner 3265 days ago
I think wyldfire was referring to the part about generating a new key on launch. Of course, Rails might do that too, for all I know.
link
floatboth 3264 days ago
uhh generating a new key on launch means every time you restart the app, everyone's cookies must be reset because the old ones can't be decrypted anymore.

It's just a convenience feature for development.

link