Menu
If I understood cookie signing correctly, then what it does is: Sign a cookie with a secret when setting it. Unsign the cookie with the same secret to validate that it hasn't been changed when recieving it.
Now in expressjs there is res.cookie() to set cookies and that takes a "signed" boolean to set if the cookie should be signed or not.
Now, what secret is used for signing? I think it might use the secret provided to cookieParser(), but that isn't actually mentioned explicitly in the documentation anywhere.
So my question is essentially: How do I set the secret to be used for signing cookies in expressjs?
I did read the express documentation and searched google and stackoverflow for an answers, sorry if I am missing something obvious.
435
Unsign the cookie with the same secret to validate that it hasn't been changed when recieving it. Now in expressjs there is res. cookie() to set cookies and that takes a "signed" boolean to set if the cookie should be signed or not.
Signed cookies give time-limited resource access to a set of files, regardless of whether the users have Google Accounts. Signed cookies are an alternative to signed URLs. Signed cookies protect access when separately signing tens or hundreds of URLs for each user isn't feasible in your application.
Cookies are simple, small files/data that are sent to client with a server request and stored on the client side. Every time the user loads the website back, this cookie is sent with the request. This helps us keep track of the user's actions. Now to use cookies with Express, we will require the cookie-parser.
If the cookie is a signed cookie and signature can be validated, then it will return the parsed unsigned value. If the cookie is unsigned, then the original value is returned. If the cookie is signed but the signature cannot be validated, then false is returned.
Express will indeed use the secret provided to cookie-parser to sign your cookie. Cookie-parser will inject the secret into your request object. Then, express will use it in order to sign the cookie. If no secret is provided to cookie-parser (or another middleware), then express will throw an error when trying to set a new signed cookie.
Answering your question, that's how you should set the secret (using cookie-parser):
var express = require('express')
var cookieParser = require('cookie-parser')
var app = express()
app.use(cookieParser('your-secret'))
app.get('/', (req, res, next) => {
res.cookie('name', 'value', { signed: true })
res.json({})
})
Then it will be available in req.signedCookies.
76
var express = require('express')
var cookieParser = require('cookie-parser')
var app = express()
app.use(cookieParser('yourSecretGoesHere'))
Reference: https://www.npmjs.com/package/cookie-parser
37
This cookieParser() takes secret and option. For signed cookie, you can access through req.signedCookies and for unsigned cookies just req.cookies.
For sending cookies with response use cookie-like
app.use(cookieParser('12345'));
res.cookie('username', 'john doe', { maxAge: 900000, httpOnly: true, signed: true, secret: '12345' });
res.cookie('user_name', 'anik islam', { maxAge: 900000, httpOnly: true, signed: false, secret: '12345' });
And you can access cookies like
console.log(req.cookies);
console.log(req.signedCookies);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
