Comments (3)
pixelmund
commented on June 4, 2024
This is now supported in v1.2.0 !
I've looked through the next-iron-session repository to see how they handle secret rotation and liked the approach.
You can find more clear instructions to setup password rotation in the README
from svelte-kit-cookie-session.
rmunn
commented on June 4, 2024
Looks really good, thanks! Having a list is more flexible than the previousSecret I had suggested, since it would allow things like rotating secrets every day while keeping a 7-day expiration. (Which is more paranoid than my use case needs, but some people might need that).
The only thing I'd change about the implementation is that if a session cookie shows up with an ID not in the list, I'd prefer for the session to be destroyed rather than an error thrown. Because the most likely scenario where a cookie shows up with an invalid secret ID is when a secret was rotated out before that session expired, maybe because the secret was leaked (:scream: indeed). I'd much rather have that be treated the same as a session that timed out, rather than have to catch an exception and then figure out what happened to throw that exception.
Apart from that one quibble, thanks for a speedy implementation!
from svelte-kit-cookie-session.
pixelmund
commented on June 4, 2024
That's a good point i haven't thought of. Thanks for your request! I will try to get it in shortly.
from svelte-kit-cookie-session.
Related Issues (20)
- Consider `SameSite=Lax` as a new default HOT 2
- Build Fails in Vercel HOT 2
- Could this work with @sveltejs/adapter-cloudflare? HOT 5
- Security of Hashing Algorithm HOT 3
- Is this safe against cookie theft and replay attacks after expiry? HOT 3
- Support for SvelteKit@next-415+ HOT 8
- Document cookie options HOT 2
- Session Cookie not being set in safari HOT 2
- Hook for setting initial session state HOT 2
- SvelteKit Session Cookie and Houdini HOT 1
- Version 3.3.0 compilation process is broken HOT 4
- Can't build when using env var as secret HOT 3
- Feat: Chunked cookies HOT 4
- Question: Svelte only compatible ? HOT 2
- Iniitalizing guide update HOT 1
- init() doesn't set initial cookie until set() or update() is called HOT 2
- Need to expire cookies in minutes instead of days. HOT 4
- Svelte 4? HOT 1
- Secure to pass sensitive session data to page?
- Add support for CHIPS via Partitioned cookie attribute
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from svelte-kit-cookie-session.