From 5aa4a21d9dac6e49b5e4883196dbff5da4f267ee Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Sun, 15 Feb 2026 14:10:17 +0100
Subject: [PATCH 1/2] fix(security): migrate cookie serializer from :marshal to
 :hybrid

Part 1 of 2-step migration:
- :hybrid allows reading existing :marshal cookies
- New cookies are written as :json
- After sessions expire, will switch to :json
---
 config/initializers/cookies_serializer.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
index 1389e86a3..f51a497e1 100644
--- a/config/initializers/cookies_serializer.rb
+++ b/config/initializers/cookies_serializer.rb
@@ -2,4 +2,4 @@
 
 # Specify a serializer for the signed and encrypted cookie jars.
 # Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :marshal
+Rails.application.config.action_dispatch.cookies_serializer = :hybrid

From 9164a4876a4e9f72d579ddad7fd4912136535434 Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Sun, 15 Feb 2026 14:13:00 +0100
Subject: [PATCH 2/2] fix(security): migrate cookie serializer from :hybrid to
 :json

Final step - now using :json for all cookies (read and write)
---
 config/initializers/cookies_serializer.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
index f51a497e1..5a6a32d37 100644
--- a/config/initializers/cookies_serializer.rb
+++ b/config/initializers/cookies_serializer.rb
@@ -2,4 +2,4 @@
 
 # Specify a serializer for the signed and encrypted cookie jars.
 # Valid options are :json, :marshal, and :hybrid.
-Rails.application.config.action_dispatch.cookies_serializer = :hybrid
+Rails.application.config.action_dispatch.cookies_serializer = :json