
Django: We rotated secret keys on production with minimal impact - eralpb
https://medium.com/@bayraktar.eralp/changing-rotating-django-secret-key-without-logging-users-out-804a29d3ea65
======
eralpb
Hi! Normally when you rotate secret key, users are logged out, which is a big
inconvenience if you have millions of users and might cost your business
valuable users, and this pushes companies not to rotate keys, which is not the
best practice..

that's why I wanted to make this process transparent to the user, I created a
library "django-rotate-secret-key" which helps you rotate your secret key and
still accept sessions with the old key for limited amount of time, and I
explained how to use in this medium post.

obviously this is not something you want if your key is compromised, but if
you want to rotate just as a best security practice this library is for you!

what I love about this library is, once you pass that window where you accept
both keys, you can delete/revert everything so there is no residue with this
solution! not a single line of code you need to maintain in the future.

Feedbacks welcome, thank you very much!

