Rotate your Django secret
Project description
================================
Django Rotate Secret Key
================================
Helps rotating your secret keys safely without losing user sessions, which means without logging users out.
Compatible with modern Django versions. At the moment of writing that's including 1.11 and 2.0 on Python 3.7.
I haven't found any library to allow us to do this on our production website, so I started the library.
Problem
============
Once you change the ``SECRET_KEY`` on production, all the old sessions and cookies are invalidated,
users are logged out and data in sessions are lost.
This is good if your ``SECRET_KEY`` is compromised!
But not good if you just want to rotate in a regular schedule for security purposes.
This library allows you to continue supporting old sessions signed with your old secret key,
while rewriting them with the new secret key if the user comes to the website.
So optimal schedule would be
1) you decide to rotate your secret key
2) Install ``django-rotate-secret-key`` and configure
3) Support both keys for a limited time (x months)
4) Roll back ``django-rotate-secret-key`` and keep your secret key the same (removing the old one)
If a user comes back to the website after x months, his session will be invalidated.
But for all the regular users this should be seamless transition.
Getting It
============
$ pip install django-rotate-secret-key
Installing It
============
This is safe to do even before you decide to rotate your keys,
it basically has no effect before you change the settings.
INSTALLED_APPS = (
...
'rotatesecretkey',
...
)
Settings
============
Replace AuthenticationMiddleware with RotateAuthenticationMiddleware
MIDDLEWARE = [
...
# 'django.contrib.auth.middleware.AuthenticationMiddleware',
'rotatesecretkey.middleware.RotateAuthenticationMiddleware',
...
]
Replace SESSION_ENGINE
SESSION_ENGINE = 'rotatesecretkey.sessions'
Add the old secret key into OLD_SECRET_KEY, and create a new ``SECRET_KEY``.
SECRET_KEY = 'NEWRANDOMKEY'
OLD_SECRET_KEY = 'your_previous_secret_key_that_you_want_to_support'
Once these changes go live your website will decode old sessions with
the OLD_SECRET_KEY and resign them with the new ``SECRET_KEY``.
After some time (like 1 or 2 months) you should roll these changes back and just keep the ``SECRET_KEY``.
SECRET_KEY = 'NEWRANDOMKEY'
You don't want to support ``OLD_SECRET_KEY`` forever but long enough to give your visitors a
chance to visit the website and rewrite their sessions with the new key.
Django Rotate Secret Key
================================
Helps rotating your secret keys safely without losing user sessions, which means without logging users out.
Compatible with modern Django versions. At the moment of writing that's including 1.11 and 2.0 on Python 3.7.
I haven't found any library to allow us to do this on our production website, so I started the library.
Problem
============
Once you change the ``SECRET_KEY`` on production, all the old sessions and cookies are invalidated,
users are logged out and data in sessions are lost.
This is good if your ``SECRET_KEY`` is compromised!
But not good if you just want to rotate in a regular schedule for security purposes.
This library allows you to continue supporting old sessions signed with your old secret key,
while rewriting them with the new secret key if the user comes to the website.
So optimal schedule would be
1) you decide to rotate your secret key
2) Install ``django-rotate-secret-key`` and configure
3) Support both keys for a limited time (x months)
4) Roll back ``django-rotate-secret-key`` and keep your secret key the same (removing the old one)
If a user comes back to the website after x months, his session will be invalidated.
But for all the regular users this should be seamless transition.
Getting It
============
$ pip install django-rotate-secret-key
Installing It
============
This is safe to do even before you decide to rotate your keys,
it basically has no effect before you change the settings.
INSTALLED_APPS = (
...
'rotatesecretkey',
...
)
Settings
============
Replace AuthenticationMiddleware with RotateAuthenticationMiddleware
MIDDLEWARE = [
...
# 'django.contrib.auth.middleware.AuthenticationMiddleware',
'rotatesecretkey.middleware.RotateAuthenticationMiddleware',
...
]
Replace SESSION_ENGINE
SESSION_ENGINE = 'rotatesecretkey.sessions'
Add the old secret key into OLD_SECRET_KEY, and create a new ``SECRET_KEY``.
SECRET_KEY = 'NEWRANDOMKEY'
OLD_SECRET_KEY = 'your_previous_secret_key_that_you_want_to_support'
Once these changes go live your website will decode old sessions with
the OLD_SECRET_KEY and resign them with the new ``SECRET_KEY``.
After some time (like 1 or 2 months) you should roll these changes back and just keep the ``SECRET_KEY``.
SECRET_KEY = 'NEWRANDOMKEY'
You don't want to support ``OLD_SECRET_KEY`` forever but long enough to give your visitors a
chance to visit the website and rewrite their sessions with the new key.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Close
Hashes for django-rotate-secret-key-0.2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | bdd2098d1d967adbc6b7d6667d00e12788ab7f85912ac2fff6bc678c55aad1ad |
|
MD5 | 2cf6d4b71cd677fad72fc181d3038097 |
|
BLAKE2b-256 | ec65020b2acaf97241d43e1a70e3b2b696e3702965e2acb4100625942668eeeb |
Close
Hashes for django_rotate_secret_key-0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 042f17043f2c673ef310c2caf879601933a35f251af03ac3af7274fb0ef2e01b |
|
MD5 | 47441ddb48c00fd2d78946cc3b9e6da3 |
|
BLAKE2b-256 | 2b69e82b0e3e7311c2b63bb78ef7895bb19c583b8ed9866cbbc8dc4e6e173e54 |
Close
Hashes for django_rotate_secret_key-0.2-py2-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5d66254fe9ba5f7b29f4b4b7e206f48979059a975d283774d5c7ece172b3a64b |
|
MD5 | 5beec13b1c3cca6c488a959295ccb8c2 |
|
BLAKE2b-256 | 0f43f94b3c6fed58c5de76f4c9b1751d8f79925080a46ff564878f1742eefbd7 |