Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

encrypt cookie sessions versus signing #492

Closed
defunctzombie opened this Issue · 6 comments

3 participants

@defunctzombie

Something I have done in my own cookie session middleware is to encrypt the cookie value versus signing. The primary reason for this was to prevent the end user from seeing the session data. It has the added benefit of also verifying the cookie data (no longer needing a specific signature).

Thoughts on changing the connect middleware to do this instead? It seems like a more sensible default to me but maybe other web frameworks don't take this approach. Certainly anyone is free to write their own middleware as I did :)

I am happy to do a pull request with how I implemented it if this is something worth entertaining further.

@defunctzombie

Any thoughts on this? If it is outside the interest or scope of the project, feel free to close.

@defunctzombie

Possible reference implementation. Not perfect but gets my point across.

https://gist.github.com/1983227

@twojcik

Agree! Just switched on cookie sessions and saw that session values are passed as clear text in response cookie, little creepy ...

@defunctzombie

if you are interested, my yummy package provides just cookie session middleware that encrypts the cookie. there are a few approaches to how secure you want this to be and various tradeoffs. Overall, yes i still maintain that the value probly shouldnt be cleartext. Maybe the docs should just make this clear :/

@twojcik

Thanks !
Found few modules which provides such functionality, but was wondering why it's not done in cookiesession in connect, or at least as you said there should be something in docs about it.

@jonathanong

Closing this. Opinionated and I don't think it's always necessary. For new users, it's harder to debug. Docs explaining that it's signed and not encrypted as well as links to implementations would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.