-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace MemoryStore with CookieStore #50
Comments
The data is also irrevocable... |
Session-id in cookie seems totally fine to me in case of SPA-SSR: https://auth0.com/docs/login/spa/authenticate-with-cookies |
Exposing For example, I found this issue today because I tried to see if a nextjs server using Perhaps not entirely relevant, but: |
Security-wise though, it obviously is better to sign the cookie. A future version of |
We're having this problem here. Our main application uses express-session and we are creating a new one with Next.js and next-session using RedisStore that needs to share the same session. Express-session adds a 's:' and signs the cookie with cookie-signature using a secret defined on options as you may see here and here. I was wondering if next-session could suport this or at least expose a method to parse the session id. |
MemoryStore
is currently the default store innext-session
. It saves all the data in the memory, which is obviously not suited for Production.CookieStore
stores everything in a signed cookie. The cookie is readable by the user but will not be tamperable.Like
MemoryStore
,CookieStore
will still be noted as not recommended and should only be used in development.Any opinion?
The text was updated successfully, but these errors were encountered: