Effects of changing Django's SECRET_KEY

Question

I made a mistake and committed my Django project's SECRET_KEY into a public repository.

This key should have been kept secret according to the docs.

The Django project is live and has been running for a while with some active users. What are the effects if I change the SECRET_KEY? Will any existing users, cookies, sessions, etc.. be affected? Obviously, the new SECRET_KEY will no longer be stored in a public location.

Answer 1

Edit: This answer is based on django 1.5

SECRET_KEY is used in a lot of various places, I'll point out what is impacted by it first and then try to go over that list and give precise explanation of the impact.

The list of things using SECRET_KEY directly or indirectly:

• JSON object signing
• crypto functions for salted hmacs or seeding the random engine which impacts:
  • password reset token
  • comment form security to protect against forged POST requests
  • form security
  • protect against message tampering as the message framework may use cookies to pass messages between views.
  • protect session data and create random session keys to avoid tampering as well.
  • create random salt for most password hashers
  • create random passwords if necessary
  • create itself when using startproject
  • create CSRF key

In reality a lot of the items listed here use SECRET_KEY through django.utils.crypt.get_random_string() which uses it to seed the random engine. This won't be impacted by a change in value of SECRET_KEY.

User experience directly impacted by a change of value are:

• sessions, the data decode will break, that is valid for any session backend (cookies, database, file based or cache).
• password reset token already sent won't work, users will have to ask a new one.
• comments form (if using django.contrib.comments) will not validate if it was requested before the value change and submitted after the value change. I think this is very minor but might be confusing for the user.
• messages (from django.contrib.messages) won't validate server-side in the same timing conditions as for comments form.

UPDATE: now working on django 1.9.5, a quick look at the source gives me pretty much the same answers. Might do a thorough inspection later.