Don't throw on invalid cookies #9

wants to merge 1 commit into

4 participants


Since cookies are user input, we shouldn't throw an exception if the cookie does not pass our tests.
Imho ignoring it is sufficient.

Maybe we could emit an event for debugging purposes, but certainly not an error.


+1. As it stands now, client code must clumsily work around it at a higher level, something like:


var cookieSessionMiddleware = sessions({
    secret: COOKIE_SECRET,
    session_key: COOKIE_KEY,
    path: '/'

server.use(function(req, resp, next) {
    try {
        cookieSessionMiddleware(req, resp, next);
    } catch(e) {
        console.log("invalid cookie found: ignoring");
        delete req.cookies[COOKIE_KEY];
        cookieSessionMiddleware(req, resp, next);


Is this project still being worked on? Any better alternatives?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment