Comments (8)
https://github.com/fastify/fastify-cookie/blob/master/package.json#L51 depends on cookie-signature, which introduce this problem. I think it would be better to solve this problem there.
from fastify-secure-session.
I think so, yes. A lot of time has passed, my memory is a bit blurry on this detail.
from fastify-secure-session.
I think this should be properly fixed - or maybe we should throw.
As far as I understand the code, this should work - there might be something odd at play - maybe some incompatibilities between cookie-signature and this module.
from fastify-secure-session.
Just to make it clear what fastify-cookie does in case of signed=true
:
E.g. if we have cookie foo=bar
it adds signature foo=bar.<signature>
.
In case of fastify-secure-session it splits cookie https://github.com/fastify/fastify-secure-session/blob/master/index.js#L77 by ;
. First part is cypher text, rest - is considered as nonce. But if we add signed=true
in "rest" part we receive not only nonce, but signature as well:
foo=<cypher_text>;<nonce>.<signature>
So this module considers that nonce part is <nonce>.<signature>
and checks it length that should be 24. But obviously it would be longer because of .<signature>
.
So maybe it just worth to check if there's a dot symbol in nonce part and either ignore the signature. Or maybe first - validate signature, then split to cypher and nonce ignoring symbols after .
from fastify-secure-session.
What I do not understand is why the .signature
part is still there. We are getting it from fastify-cookie and cookie-signature.. and the signature part should have already be extracted.
(FYI, using cookie-signature with this module does not add any security benefits).
from fastify-secure-session.
Just found this issue after researching why the session doesn't work. signed: false
makes it work.
FYI express cookie stores the signature in a different cookie with same options, named cookie.name.sig. Maybe this is more clear and avoids bugs like above.
from fastify-secure-session.
What I do not understand is why the
.signature
part is still there. We are getting it from fastify-cookie and cookie-signature.. and the signature part should have already be extracted.(FYI, using cookie-signature with this module does not add any security benefits).
https://github.com/fastify/fastify-cookie/blob/master/package.json#L51 depends on cookie-signature, which introduce this problem. I think it would be better to solve this problem there.
Just to understand what you think the solution to the problem is (roughly):
fastify-secure-session/index.js
Lines 145 to 151 in 9e723b3
The cookie
should not contain the .<signature>
suffix added by fastify-cookie
when signing is enabled at that point?
from fastify-secure-session.
I was not able to reproduce the error reported in this issue. Despite being passed signed: true
, the cookie is decoded correctly by the library.
@SkeLLLa could you please create a public repo where the error is reproduced (if it can still be reproduced) so that I can have it as an up-to-date reference to the problem?
Thank you.
from fastify-secure-session.
Related Issues (20)
- New cookie is made on every request, even if session is unchanged HOT 2
- Multiple cookies HOT 2
- v5.3.0 breaks with `Cannot read properties of undefined (reading 'sign')"` HOT 4
- Segmentation Fault when using alpine image HOT 7
- Enable multiple cookie sessions HOT 5
- Missing peer dependency on fastify HOT 8
- "No native build was found" HOT 3
- No native build was found - EsBuild AWS Lambda HOT 2
- Release new version to be type compatible with other `@fastify/cookie` modules HOT 1
- Update cookie expiration without updating data HOT 1
- i have been hack HOT 5
- Upgrade @fastify/cookie to 9.1.0 HOT 1
- Considering adding proprietary cookies good practices as Chrome make big changes on cookies in 2024 HOT 2
- typescript types don't work properly HOT 3
- changed value should be set to true when modifying objects within session HOT 1
- "reply.signCookie is not a function" when setting option signed: true HOT 2
- New "expiry" is not included in TypeScript definition HOT 2
- No way to update session expiration HOT 1
- What version is compatible with Fastify 3.x? HOT 1
- What version works with Fastify 3.x? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastify-secure-session.