How does session cookie sharing work?

Question

How does session cookie sharing work?

I would like to explain how cookie connect.sid works in Connect Node.js. I noticed that they are shaped like,

s:hash.signature

I don’t understand how the signature is used when the hash is more than can be used to access session data from the memory store or redis store.

Also, I don't understand why s: present even in the cookie; what is the purpose.

I heard that the signature is used to "sign" the hash. What exactly does “sign” or “signed” mean? I also need an explanation of this process.

Thanks!

+4

node.js cookies session middleware connect

Sam Feb 12 '13 at 23:42

source share

1 answer

Pascal belloncle · Answer 1 · 2013-02-12T23:46:41+0000

There is a signature, so the server can verify that it generated a cookie, and not some random attacker.

Only someone who knows the secret used for signing can sign it with the same meaning.

"s:" is such that it is easy to understand that it is a signed cookie, and not some other format (for example, unsigned).

Here the way to retrieve data from a signed cookie and fail is incorrect. Only partial code extracted from a real application, but you should get this idea.

 var cookie = require('cookie'); var connect = require('connect'); var secret = "same secret used to sign cookies"; socketio.set('authorization', function(data, cb) { if (data.headers.cookie) { var sessionCookie = cookie.parse(data.headers.cookie); var sessionID = connect.utils.parseSignedCookie(sessionCookie['connect.sid'], secret); // do something here with decoded value } });

You need to use the "authorization" function from socket.io so that you have access to the headers. This code works when using the xhr-poll transport, I'm not sure if this will work for websocket, for example.

How does session cookie sharing work?

More articles: