Make session secret key configurable and don't default to `_...` about lusca HOT 10 CLOSED

Hi @ForbesLindesay would you be able to share your code, or a skeleton that illustrates the issue? I don't have any working examples currently which I can use to reproduce this.
EDIT: Nevermind, I can reproduce this quite simply. Just didn't think it through far enough. Will get back to this issue with a resolution asap

from lusca.

We might want to consider changing the default, but the key is configuration in 1.x. See https://github.com/krakenjs/lusca#luscacsrfoptions

from lusca.

The key in question here isn't the key used to get the value off the request, but instead the one used to store the token in the user's current session.

from lusca.

I created this sample express app which can be used to reproduce the issue:
https://gist.github.com/grawk/af976c29fedfb6602db1

app.use(lusca({
    csrf: true
}));

can be replaced with this, and used with my master branch to illustrate the fix

app.use(lusca({
    csrf: {secret: 'shhCsrf'}
}));

from lusca.

Ah, my fault. I probably should have clicked on the first link in @ForbesLindesay's message 😄

from lusca.

I just ran into this problem when experimenting with switching between express-session and cookie-session. I personally think this is something that the cookie-session module should fix (allow things that start with "_") but it'd also be nice to be able to configure the session key.

Update: I just heard back from cookie-session and they'll be supporting "_" in 2.0. Doesn't help in the short-term though unfortunately.

from lusca.

Currently have a PR open to resolve the issue of lusca working with express-session pre "_" fix. It is being considered along with some other changes to lusca. Will update once released.

from lusca.

Looks like this change has been merged into the master branch; however, there is no tag for it yet. Any idea when it will be tagged and released?

from lusca.

Thanks for the bump @amityb I'll try and usher this through and tag it asap

from lusca.

#40 is the version bump with this change. Also note that [email protected] is now published

from lusca.