Don't throw on invalid cookies #9

Open
wants to merge 1 commit into
from

4 participants

@bkw

Since cookies are user input, we shouldn't throw an exception if the cookie does not pass our tests.
Imho ignoring it is sufficient.

Maybe we could emit an event for debugging purposes, but certainly not an error.

@lloyd

+1. As it stands now, client code must clumsily work around it at a higher level, something like:

server.use(express.cookieParser());

var cookieSessionMiddleware = sessions({
    secret: COOKIE_SECRET,
    session_key: COOKIE_KEY,
    path: '/'
});

server.use(function(req, resp, next) {
    try {
        cookieSessionMiddleware(req, resp, next);
    } catch(e) {
        console.log("invalid cookie found: ignoring");
        delete req.cookies[COOKIE_KEY];
        cookieSessionMiddleware(req, resp, next);
    }
});
@jasoo24

+1

Is this project still being worked on? Any better alternatives?

@lloyd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment