Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookie parsing improvements #1428

Merged
merged 1 commit into from
Sep 9, 2023
Merged

cookie parsing improvements #1428

merged 1 commit into from
Sep 9, 2023

Conversation

jkeys089
Copy link
Contributor

@jkeys089 jkeys089 commented Sep 8, 2023

Author should do the followings, if applicable

  • Add tests
  • Run tests
  • yarn denoify to generate files for Deno

Improvements

  • validate cookie names and values during parsing per rfc6265 to mitigate various security threats
  • protect signed cookies against timing attacks (i.e. utilize crypto.subtle.verify instead of comparing strings)
  • fix bug where unsigned cookie values that match the shape of signed values are not returned
  • remove constraints on signed cookie values (e.g. signed values can contain period now)
  • allow use of binary secret for signed cookies
  • improved efficiency (e.g. remove duplicated logic / cache secret key when verifying multiple signed values)

@yusukebe
Copy link
Member

yusukebe commented Sep 9, 2023

Cool! Looks good. Thanks @jkeys089 !

@yusukebe yusukebe merged commit d6ec48e into honojs:main Sep 9, 2023
10 checks passed
mrbbot added a commit to cloudflare/workers-sdk that referenced this pull request Feb 7, 2024
@mrbbot
fix: bump hono to address cooking parsing issues
1e29ffa 
honojs/hono#1428 improved cookie parsing and addresses the
`Cannot read properties of undefined (reading 'split')` issues we're
seeing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jkeys089 @yusukebe