Cookie signatures lose attributes upon re-signing, causing persistent cookie to become invalid #22

Open
jspilman opened this Issue Jan 3, 2013 · 3 comments

3 participants

@jspilman

When the .sig cookie is set the first time, you have all the 'opts' from the base cookie, and they propagate into the .sig cookie. But when re-signing due to expired key, the 'opts' simply aren't available, because all you have is the name=value that the client browser sends back.

Specifically… starting at Line 54 – we push the base cookie, then update the same object to become a signature, and push it. This should make both cookies share all the same options:

   headers = pushCookie(headers, cookie)
   if (opts && signed) {
     cookie.value = this.keys.sign(cookie.toString())
     cookie.name += ".sig"
     headers = pushCookie(headers, cookie)
   }

But up in the ‘get’ method, if we detect the signing key index was not zero on Line 34:

    index && this.set(sigName, this.keys.sign(data), { signed: false })

here all we have is name and value. The cookie we’re looking at could have been configured months ago, all the domain/path/expires/etc. settings are long gone from the server.

The largest impact I think is for persistent signed cookies. If the persistent cookie is re-signed due to a new key, the signature will always expire the next time the user closes their browser. since no ‘expire’ is set. Then next time we do a ‘get’ on the base cookie, the signature will be gone completely, and it will come back as having a invalid signature.

@jed
jed commented Jan 4, 2013

hmm. this is a good point. i'm not sure there's much we can do other than giving a heads-up in the README. what do you think?

@jspilman
@jed
jed commented Jan 8, 2013

good point, @jspilman. i'm a little queasy about bloating the scope of the .sig cookie with this much state, to be honest. perhaps we'd be better of with opt-in defaults for a specific cookie implementations?

@Fishrock123 Fishrock123 added the bug label May 11, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment