Something I have done in my own cookie session middleware is to encrypt the cookie value versus signing. The primary reason for this was to prevent the end user from seeing the session data. It has the added benefit of also verifying the cookie data (no longer needing a specific signature).
Thoughts on changing the connect middleware to do this instead? It seems like a more sensible default to me but maybe other web frameworks don't take this approach. Certainly anyone is free to write their own middleware as I did :)
I am happy to do a pull request with how I implemented it if this is something worth entertaining further.
Any thoughts on this? If it is outside the interest or scope of the project, feel free to close.
Possible reference implementation. Not perfect but gets my point across.
Agree! Just switched on cookie sessions and saw that session values are passed as clear text in response cookie, little creepy ...
if you are interested, my yummy package provides just cookie session middleware that encrypts the cookie. there are a few approaches to how secure you want this to be and various tradeoffs. Overall, yes i still maintain that the value probly shouldnt be cleartext. Maybe the docs should just make this clear :/
Found few modules which provides such functionality, but was wondering why it's not done in cookiesession in connect, or at least as you said there should be something in docs about it.
Closing this. Opinionated and I don't think it's always necessary. For new users, it's harder to debug. Docs explaining that it's signed and not encrypted as well as links to implementations would be great.