Comments (5)
hmm. this is a good point. i'm not sure there's much we can do other than giving a heads-up in the README. what do you think?
from cookies.
The only way to deal with it transparently is to encode the options in the .sig, and then add another signature of the options as well.
if (signed) {
cookie.value = cookie.toSig();
cookie.name += ".sig"
headers = pushCookie(headers, cookie)
}
toSig: function() {
var options = JSON.stringify({ path: this.path, expires: this.expires, domain: this.domain, secure: this.secure })
return JSON.stringify({
sig: sign(cookie.toString()),
opts: options,
optsSig: sign(options)
})
}
Then you would have to pull out the βoptsβ from the .sig cookie and use them when re-creating the .sig with a new signing key to keep the settings consistent.
Maybe not so bad when itβs all said and done.
from cookies.
good point, @jspilman. i'm a little queasy about bloating the scope of the .sig cookie with this much state, to be honest. perhaps we'd be better of with opt-in defaults for a specific cookie implementations?
from cookies.
This bug has been causing us quite a lot of troubles. I think this should be fixed as soon as possible.
from cookies.
This problem has caused trouble in our production website. We use expressjs/cookie-session (which uses this module as a dependency) and set the cookie to expire in 1 year (we have a server-side system to expire sessions). We rotated the key but then the session.sig gets to expire at browser close instead of 1 year when uses comes back and session is re-signed. Then uses closes his browser and comes back and is logged out (which we don't want). We have taken several hours to find the cause of this issue and finally found this.
from cookies.
Related Issues (20)
- Getting cookies of a request without having to pass response argument HOT 2
- Set Domain in options is not working HOT 3
- request.connection is deprecated
- set cookie with ";" is broken and the "signed" property returns undefined HOT 2
- Release sameSite = none PR HOT 3
- Storing cookie value + signature in a unified cookie instead of cookie_name.sig HOT 1
- Using this with Http2stream HOT 3
- How to install? HOT 1
- Migrate to travis-ci.com HOT 1
- Support of Sha256 HOT 1
- TypeError: Cannot read property 'encrypted' of undefined HOT 1
- make setHeader compatible with fastify reply (patch included) HOT 2
- Cookie maxAge HOT 1
- Using "signed: ture" will set two cookies? HOT 3
- missing cookie option "Priority" HOT 1
- How to allow multiple domains for CookieOptions.domain
- Get a cookie in 2023 HOT 1
- How to set SameSite attribute for .sig? HOT 1
- Cookies Having Independent Partitioned State (CHIPS, also know as Partitioned cookies) HOT 2
- Cookie overwrite not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookies.