Hey,
For backwardscompatibility we’d probably be looking at one or two releases back, though it’s possible we have to support earlier as well. We’ll do trade offs when we get to that.
The tough part about cookies is that they can survive more than one Rails release because a person who visited the site long ago, with an old cookie, could come back and thus the cookie must still be supported.
We want this to have better expiry built in to cookies and Google’s SHA1 collision has nothing to do with it :)