bundle about cookies HOT 7 CLOSED

node scripts/install.js is all you need to make the default keys.

as for submodules, they've given me enough grief already, and keygrip is not a hard dependency; it's optional only if you want to sign cookies.

from cookies.

I'd say in our modern world unsigned cookies are evil ;)

I read the deprecation note and didn't get what is the killer improvement over cookie-node? Couldn't you elaborate on this? TIA

from cookies.

vladimir,

good point. i've added a Features section to the README. let me know if you have any other questions.

from cookies.

Plain text signed cookies, even though can't be tampered, seem a bit more disclosing than I'd expect. Just reading them at sniffer level already provides valuable info. Wrong?

So the hardened (in fact, vanilla) solution (using secure, httponly, and signed: true via keygrip (and of course HTTPS transport)) would be nice to have as a simple drop-in one-file-module.

Still, great repo, thanks!

from cookies.

i think that if you're putting valuable information in a cookie, you're doing it wrong, and no library should encourage that. so i don't think it's wise to try and over engineer something in this case.

do you think the secure and httpOnly defaults should be flipped?

from cookies.

I do put user id in cookie, that's requirement for a project I do. But they don't want it be "visible" in plain. I know that's quirky but so things are. NVM

No, defaults are ok to me. The only inconvenience so far is that keygrip require()s defaults even if they are not needed -- this leads to node scripts/install.js must be run ...

from cookies.

that makes sense.

i've changed defaultKeys.js into the plain JSON file defaultKeys.json

• if keys are provided, it is not used.
• if it exists keys aren't provided, it is loaded and used.
• else an error is thrown.

for some reason the GitHub interface isn't reflecting this latest push yet, but it should be there soon.

from cookies.