New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explain how to generate session secret in README #734
Comments
Thank you @pkrasicki I will take that on board when I update the documentation which is on my list of items to complete. In general the secret is often shared amongst several instances of nodeJS running in a cluster or docker type arrangement it is usually a constant value. However your suggestion is a good and I'm glad you made it. The secret is there so you know you generated the cookie and someone else did not. |
Right. And I would add that @pkrasicki your example would probably not work for a long-term app as when the server that had that code restarted (intended or otherwise) all sessions would be lost, as it would end up creating a brand new secret and all the user's cookies would not have been signed with the new secret and would end up rejected by the server, creating new sessions for everyone. If you used your sessions to mage a login type system, then it would look like users would suddenly be logged out. The other issue with your example is that if you need more capacity so have more than one Node.js server handling requests, they would end up with different secrets, so sessions would appear to not function at all. |
Thank you for such a detailed explanation! :) |
The issue was closed, but I still don't see this mentioned in readme. Beginners will copy the code with default secret and possibly expose their app to attacks. Tutorials don't mention this either. |
@ghinks, @dougwilson any update on this? |
I don't believe I indicated I am doing anything on this issue, besides answered the question :) |
My mistake :). I mostly just don't understand why it was closed. |
There should be some explanation about what the session secret should be. Can it just be a phrase or does it need to be a random combination? How to generate it in a secure way? Is something like this a good idea?
The text was updated successfully, but these errors were encountered: