The current online documentation leaves some questions pertaining to using the cookieParser. The current text states that "Optionally you may enabled signed cookie support by passing a secret string." implying that without such a string, secure cookies won't work, regardless of whether a cookie has a 'secret' set. If this is the case, it would be good to mention this explicitly. It also doesn't explain what happens when both cookieParser and a cookie have a secret string set. Which one is used, does a cookie still need a secret, or will it fall back to the cookieparser secret, etc.
(filed because we had great difficulty getting cookies to work across subdomains, despite using matching cookie secret strings. Adding a nonsense string to the cookieParser suddenly made things work, which is not the most intuitive behaviour when there are already secret strings encoded in the cookies.)
The current online documentation leaves some questions pertaining to using the cookieParser. The current text states that "Optionally you may enabled signed cookie support by passing a secret string." implying that without such a string, secure cookies won't work, regardless of whether a cookie has a 'secret' set. If this is the case, it would be good to mention this explicitly. It also doesn't explain what happens when both cookieParser and a cookie have a secret string set. Which one is used, does a cookie still need a secret, or will it fall back to the cookieparser secret, etc.
(filed because we had great difficulty getting cookies to work across subdomains, despite using matching cookie secret strings. Adding a nonsense string to the cookieParser suddenly made things work, which is not the most intuitive behaviour when there are already secret strings encoded in the cookies.)