encrypt cookie sessions versus signing #492

Closed
defunctzombie opened this Issue Feb 28, 2012 · 6 comments

Comments

Projects
None yet
3 participants
Contributor

defunctzombie commented Feb 28, 2012

Something I have done in my own cookie session middleware is to encrypt the cookie value versus signing. The primary reason for this was to prevent the end user from seeing the session data. It has the added benefit of also verifying the cookie data (no longer needing a specific signature).

Thoughts on changing the connect middleware to do this instead? It seems like a more sensible default to me but maybe other web frameworks don't take this approach. Certainly anyone is free to write their own middleware as I did :)

I am happy to do a pull request with how I implemented it if this is something worth entertaining further.

Contributor

defunctzombie commented Mar 5, 2012

Any thoughts on this? If it is outside the interest or scope of the project, feel free to close.

Contributor

defunctzombie commented Mar 6, 2012

Possible reference implementation. Not perfect but gets my point across.

https://gist.github.com/1983227

twojcik commented Jun 7, 2012

Agree! Just switched on cookie sessions and saw that session values are passed as clear text in response cookie, little creepy ...

Contributor

defunctzombie commented Jun 7, 2012

if you are interested, my yummy package provides just cookie session middleware that encrypts the cookie. there are a few approaches to how secure you want this to be and various tradeoffs. Overall, yes i still maintain that the value probly shouldnt be cleartext. Maybe the docs should just make this clear :/

twojcik commented Jun 7, 2012

Thanks !
Found few modules which provides such functionality, but was wondering why it's not done in cookiesession in connect, or at least as you said there should be something in docs about it.

Contributor

jonathanong commented Nov 18, 2013

Closing this. Opinionated and I don't think it's always necessary. For new users, it's harder to debug. Docs explaining that it's signed and not encrypted as well as links to implementations would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment