Hello.I have some questions about cookies and encryption but couldn’t find what I was looking for.
-
What are best practices for generating an encryption salt for cookies? Can it be hardcoded like the
signing_salt
(in the Plug.Session config in endpoint.ex) or does it need to be dynamically generated? -
Using the default algorithm and key length, what kind of performance impact should be expected when changing cookies to encrypted? I found a comment by Jose in the Rails repo from back in 2012 where he says he is not “pleased with the overhead of encrypting cookies by default” which implies that it must be significant or at least noticeable. Is there an easy way to set up benchmarking and measure it?
-
What are the considerations for existing cookies out in the wild when going from unencrypted to encrypted cookies? Based on my testing they seem to just get invalidated (which is expected) – should I expect any error messages? Most importantly: is there a way to do this without forcing all users to essentially log out and back in?