expressjs / cookie-parser

Parse HTTP request cookies

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Why does signed cookie not populate in req.signedCookies?

devth opened this issue · comments

Looks like signedCookies is not being populated.

res.cookie('ok', {why: "ok"}, {signed: true});
logger.info("signed cookies", req.signedCookies);
//=> signed cookies {}

logger.info("cookies", req.cookies);
//=> cookies { ok: 's:j:{"why":"ok"}.qVInqKcYbSXfZ+1m99smJV1t6IHoaZCcmOYVpRDpxUsvl/gaUqnV9Oy2/nbv2qt75iEvez/jXdTO1WAMgKJ/WQ' }

req.signedCookies are only populated with signed cookies that have valid signatures; if that cookie is not translated into signedCookies the signature is not valid with the secret you provided.

signature is not valid with the secret you provided

What would cause that? I tried configuring with:

  app.use(cookieParser('MzaP7XtPSEmbB3AiDGxkeFO1cnxr/EPsvcsLmnqG03k='))

Thanks.

For the secret you posted, the cookie signed with it would look like this:

s:j:{"why":"ok"}.R9yq3/37iDxGKbZd+12Mt3YrMfPkPohwYh9idxiq44A

The part after the dot is the signature; as you can see the signature is very different from the one you posted, so the cookie was signed with a different secret than you are giving to this module, thus why it didn't validate.

I see. I assumed writing and reading cookies was done in the same lib, and would therefore use the same secret, but it appears they are out of sync.

What library are you writing cookies with?

Nevermind, I see it is something outdated and using cookie-signature@1.0.0; this library uses 1.0.3 (yes, I know it's weird that the change would have been a patch version, but I don't have control over it). Using an older connect/express, perhaps?

express 3.1.2. There could be something weird happening in my end. We have a custom internal node stack that basically wraps express, so I don't even know how to figure out what is handling my cookies. I thought maybe it was built in to express.

I thought maybe it was built in to express.

It is, but express 3.1.2 is really old. To parse cookies with this library, you need express 3.2.0 or higher to write the cookies.

Got it. I'll see if we can upgrade. Thanks again.

No problem. I was surprised how close you were to being on a supported express version, so hopefully it should be straight-forward to just jump to 3.2.0.