I am using Passport.js with Koa, and I noticed that when a session cookie is generated, it is called koa:sess and contains the session information encoded as Base64. However, there is another cookie called koa:sess.sig, and its purpose is not obvious. My guess would be that it is intended to stop an attacker from spoofing the session (since the koa:sess cookie just contains the user ID), is this the case?
From the documentation:
signed: a boolean indicating whether the cookie is to be signed (false by default). If this is true, another cookie of the same name with the .sig suffix appended will also be sent, with a 27-byte url-safe base64 SHA1 value representing the hash of cookie-name=cookie-value against the first Keygrip key. This signature key is used to detect tampering the next time a cookie is received.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With