Cookie store secure ?

[nicolaspernoud]

Hello,

In documentation it is written that the data in the cookie is only signed, but not encrypted. I understand that it is signed because the cookie id is an hash of the cookie data, and attempting to alter only the data will fail...
But since there is no (external) signing key, what would prevent someone to forge a cookie with any data for a website ?
If I understand correctly (and maybe I don't), that would be a severe security issue ?!
Would it be possible to pass a server known only key to the CookieStore::new(a_secret_key) to sign all the cookies (and deactivate them all if the key is changed) ?

Thanks,

I'm using axum and the axum-sessions crate helped me get a grasp on what cookie signing might look like with async-session. If there is a specific implentation for whatever framework you're using, it might help to have a look at that. Regardless of framework though, the axum example should tell you what you need to know. I started by looking for where and how the key variable is used.

[nicolaspernoud]

Ok, thanks, it is clearer now !