Best IT Recipes

What are "signed" cookies in connect / expressjs?

I'm trying to figure out what "signed cookies" are. There is not much online, and if I try this:

app.use(express.cookieParser('A secret'));

But still ... Cookies are still 100% normal in the browser, and I really don't know what is โ€œsignedโ€ here (I kind of hoped to โ€œseeโ€ some kind of weirdness on the client, something like the data is encrypted using "Secret" as salt?)

The documentation states ( https://github.com/expressjs/cookie-parser ):

Expand the Cookie header and populate req.cookies with an object controlled by the cookie names. Optionally, you can enable support for signed cookies by passing a secret that assigns req.secret so it can be used by other middleware.

Somebody knows?

Merc.

+89
cookies express connect
Aug 10 '12 at 8:28
source share
4 answers

The cookie will still be visible, but it has a signature, so it can determine if the client has modified the cookie.

It works by creating HMAC values โ€‹โ€‹(current cookie), and base64 encoded it. When a cookie receives a read, it recounts the signature and ensures that it matches the signature attached to it.

If it does not match, then it will throw an error.

If you want to hide the contents of a cookie, you must encrypt it (or just save it in a server-side session). I'm not sure if the middleware for this is already there or not.

Edit

To create a signed cookie you must use

 res.cookie('name', 'value', {signed: true})

And to access the signed cookie, use the signedCookies req object:

 req.signedCookies['name']
+102
Aug 10 '12 at 8:40
source share

Yup like emostar mentions this simply to ensure that the value has not been changed. It is placed in another object (req.signedCookies) to distinguish between the two, allowing the developer to show the intent. If they were saved in req.cookies along with others, someone could just create an unsigned cookie of the same name, defeating their entire purpose.

+22
Aug 10 2018-12-12T00:
source share

I was looking pretty extensive for a good answer to this question ... And looking at the source code of the cookie-signature , which is used by cookie-parser to sign signed cookies, gave me a better idea of โ€‹โ€‹what a signed cookie is.

val is, of course, the cookie value, and secret is the string you add as an option for cookie-parser

https://github.com/visionmedia/node-cookie-signature/blob/master/index.js#L16

+11
Jun 11 '14 at
source share

I used the cookie parser version 1.4.4.

I could add signed cookies and signed cookies encrypted in the browser. If I try to edit a signed cookie using editThisCookie (the chrome plugin), the cookie analyzer detects external changes and then sets false as the value.

 response.cookie('userId',401,{signed: true})

The response header in the browser looks like

 Set-Cookie: empId=s%3A101.US2oSV4TSvfkvvEQ5fj1sXsjj8rNxx2ph4VdHNTuKX8; Path=/

Get Signed Cookie

 request.signedCookies

https://gist.github.com/dineshbalaji/607d166f0240f932a5cb02099b0ece4c

0
Apr 14 '19 at 3:28
source share


More articles:


All Articles