Re: Cookie not signed after upgrading mojolicious

I don't see a Mojolicious 9.30, but the Changes file mentions:

Swiched from HMAC-SHA1 to HMAC-SHA256 for signed cookies. Note that this means that all sessions will be reset.

To me, this means this is expected behaviour. I don't know if/how you can migrate the signed cookies from the old version to the new version automatically. I guess you would need to have two code paths. One that receives and validates the HMAC-SHA256 cookies, and one that gets taken when the SHA256 validation fails (maybe copied from the old Mojolicious distribution), that validates against the old HMAC-SHA1, and does an upgrade.

Comment on Re: Cookie not signed after upgrading mojolicious

Replies are listed 'Best First'.
Re^2: Cookie not signed after upgrading mojolicious by newperldeveloper (Sexton) on Jul 21, 2021 at 12:05 UTC
Didn't see this information, I didn't see that information. Is there a way to have plack switch to signing with HMAC-SHA256.	[reply]
Re^3: Cookie not signed after upgrading mojolicious by Corion (Patriarch) on Jul 21, 2021 at 14:11 UTC
Plack itself doesn't handle sessions, and I don't find Plack::Session::Store::File::Mojolicious on CPAN (neither does Google find it elsewhere), so I don't know what you would need to do to make it sign the cookies using HMAC-SHA256. Maybe that file is just the Mojolicious code for cookie signing copied into the Plack API and you can also just copy the (new) Mojolicious code into that.	[reply]
Re^4: Cookie not signed after upgrading mojolicious by newperldeveloper (Sexton) on Jul 21, 2021 at 17:01 UTC
The new mojolicous code is the same, i did pass in `httponly=>1,secret=>'whatever the secret is'` and that started at least I think gave me an incorrect signatue error. I say think because i made a lot of changes. But the error it gave was cookie has bad signature	[reply] [d/l]


Think about Loose Coupling
	PerlMonks