Why does signed cookie not populate in req.signedCookies?

Question

Why does signed cookie not populate in req.signedCookies?

devth opened this issue 10 years ago · comments

Looks like signedCookies is not being populated.

res.cookie('ok', {why: "ok"}, {signed: true});

logger.info("signed cookies", req.signedCookies);
//=> signed cookies {}

logger.info("cookies", req.cookies);
//=> cookies { ok: 's:j:{"why":"ok"}.qVInqKcYbSXfZ+1m99smJV1t6IHoaZCcmOYVpRDpxUsvl/gaUqnV9Oy2/nbv2qt75iEvez/jXdTO1WAMgKJ/WQ' }

Douglas Wilson · Answer 1 · Wed May 07 2014 04:58:43 GMT+0800 (China Standard Time)

req.signedCookies are only populated with signed cookies that have valid signatures; if that cookie is not translated into signedCookies the signature is not valid with the secret you provided.

Trevor Hartman · Answer 2 · Wed May 07 2014 05:00:14 GMT+0800 (China Standard Time)

signature is not valid with the secret you provided

What would cause that? I tried configuring with:

  app.use(cookieParser('MzaP7XtPSEmbB3AiDGxkeFO1cnxr/EPsvcsLmnqG03k='))

Thanks.

Douglas Wilson · Answer 3 · Wed May 07 2014 05:13:14 GMT+0800 (China Standard Time)

For the secret you posted, the cookie signed with it would look like this:

s:j:{"why":"ok"}.R9yq3/37iDxGKbZd+12Mt3YrMfPkPohwYh9idxiq44A

The part after the dot is the signature; as you can see the signature is very different from the one you posted, so the cookie was signed with a different secret than you are giving to this module, thus why it didn't validate.

Trevor Hartman · Answer 4 · Wed May 07 2014 05:17:35 GMT+0800 (China Standard Time)

I see. I assumed writing and reading cookies was done in the same lib, and would therefore use the same secret, but it appears they are out of sync.

Douglas Wilson · Answer 5 · Wed May 07 2014 05:18:31 GMT+0800 (China Standard Time)

What library are you writing cookies with?

Douglas Wilson · Answer 6 · Wed May 07 2014 05:23:55 GMT+0800 (China Standard Time)

Nevermind, I see it is something outdated and using cookie-signature@1.0.0; this library uses 1.0.3 (yes, I know it's weird that the change would have been a patch version, but I don't have control over it). Using an older connect/express, perhaps?

Trevor Hartman · Answer 7 · Wed May 07 2014 05:25:41 GMT+0800 (China Standard Time)

express 3.1.2. There could be something weird happening in my end. We have a custom internal node stack that basically wraps express, so I don't even know how to figure out what is handling my cookies. I thought maybe it was built in to express.

Douglas Wilson · Answer 8 · Wed May 07 2014 05:30:10 GMT+0800 (China Standard Time)

I thought maybe it was built in to express.

It is, but express 3.1.2 is really old. To parse cookies with this library, you need express 3.2.0 or higher to write the cookies.

Trevor Hartman · Answer 9 · Wed May 07 2014 05:35:14 GMT+0800 (China Standard Time)

Got it. I'll see if we can upgrade. Thanks again.

Douglas Wilson · Answer 10 · Wed May 07 2014 05:36:02 GMT+0800 (China Standard Time)

No problem. I was surprised how close you were to being on a supported express version, so hopefully it should be straight-forward to just jump to 3.2.0.