Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explain how to generate session secret in README #734

Closed
pkrasicki opened this issue Mar 21, 2020 · 7 comments
Closed

Explain how to generate session secret in README #734

pkrasicki opened this issue Mar 21, 2020 · 7 comments
Labels
docs

Comments

@pkrasicki
Copy link

There should be some explanation about what the session secret should be. Can it just be a phrase or does it need to be a random combination? How to generate it in a secure way? Is something like this a good idea?

app.use(session({
	secret: crypto.randomBytes(20).toString("hex"),
	resave: true,
	saveUninitialized: true
}));
@ghinks ghinks added the docs label Mar 21, 2020
@ghinks
Copy link
Contributor

ghinks commented Mar 21, 2020
edited

Thank you @pkrasicki I will take that on board when I update the documentation which is on my list of items to complete. In general the secret is often shared amongst several instances of nodeJS running in a cluster or docker type arrangement it is usually a constant value. However your suggestion is a good and I'm glad you made it. The secret is there so you know you generated the cookie and someone else did not.

@dougwilson
Copy link
Contributor

Right. And I would add that @pkrasicki your example would probably not work for a long-term app as when the server that had that code restarted (intended or otherwise) all sessions would be lost, as it would end up creating a brand new secret and all the user's cookies would not have been signed with the new secret and would end up rejected by the server, creating new sessions for everyone. If you used your sessions to mage a login type system, then it would look like users would suddenly be logged out. The other issue with your example is that if you need more capacity so have more than one Node.js server handling requests, they would end up with different secrets, so sessions would appear to not function at all.

@pkrasicki
Copy link
Author

Thank you for such a detailed explanation! :)

@ghinks ghinks closed this as completed Mar 25, 2020
@pkrasicki
Copy link
Author

The issue was closed, but I still don't see this mentioned in readme. Beginners will copy the code with default secret and possibly expose their app to attacks. Tutorials don't mention this either.

@pkrasicki
Copy link
Author

@ghinks, @dougwilson any update on this?

@dougwilson
Copy link
Contributor

I don't believe I indicated I am doing anything on this issue, besides answered the question :)

@pkrasicki
Copy link
Author

My mistake :). I mostly just don't understand why it was closed.

@pkrasicki pkrasicki mentioned this issue May 18, 2020
Closed
dougwilson pushed a commit to ghinks/session that referenced this issue Jun 11, 2020
@ghinks @dougwilson
docs: expand secret documentation with key advice
75896a5 
fixes expressjs#734
fixes expressjs#750
closes expressjs#752
@gbowne1 gbowne1 mentioned this issue Apr 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dougwilson @ghinks @pkrasicki