Struct biscotti::config::CryptoRule
source · pub struct CryptoRule {
pub cookie_names: Vec<String>,
pub type: CryptoType,
pub key: Key,
pub secondary_keys: Vec<Key>,
}
Expand description
CryptoRule
specifies whether certain cookies should be encrypted or signed.
Fields§
The names of the cookies to which this rule applies.
type: CryptoType
How the cookies should be secured: either encryption or signing.
key: Key
The key to use for encryption or signing.
§Requirements
The key must be at least 64 bytes long and should be generated using a cryptographically secure random number generator.
secondary_keys: Vec<Key>
Secondary keys are used to decrypt/verify request cookies that failed to
be decrypted/verified using the primary key.
Secondary keys are never used to encrypt/sign response cookies.
§Key rotation
Secondary keys exist to enable key rotation.
From time to time, you may want to change the key used to sign or encrypt cookies.
If you do this naively (i.e. change CryptoRule::key
to a new value), the server
will immediately start rejecting all existing cookies
because they were signed/encrypted with the old key.
Using secondary keys, you can start using the new key without invalidating all existing cookies. The process is as follows:
- Generate a new key
- Set
key
to the new key, and add the old key to thesecondary_keys
vector - Wait for the expiration of all cookies signed/encrypted with the old key
- Remove the old key from the
secondary_keys
vector
Trait Implementations§
source§impl Clone for CryptoRule
impl Clone for CryptoRule
source§fn clone(&self) -> CryptoRule
fn clone(&self) -> CryptoRule
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read more