wiki cookies/session confusion
197 views
Skip to first unread message
thibaud
Oct 24, 2012, 4:09:04 PM10/24/12
to expre...@googlegroups.com
on the migrating from 2.x to 3.x wiki it says:
Use
Use
express.cookieParser('secret') instead of passing the secret to the express.session() middleware. The 'secret' option in theexpress.session() middleware has been removed.but pretty much every where else I don't see any confirmation of this.
it seems it is rarely encouraged actually as examples for connect's session middleware always uses a secret in the session middleware but seldom in the cookieParser one...
first off, I'd like to know the difference in between setting a secret in the cookieParser middleware or in the session middleware and which is preferred ?
I would like to create a module for the usual problem of express/socket.io's session sharing business for the option suggested here seems slightly odd.
I feel it is a bit of a hack because a cookieParser first argument is intended to be a 'res' stream and it happens that socket.io's handshakeData has the same structure than the res stream; they both have a headers object which contain the cookies' objects.
@tj do you also think of this as a slightly 'hacked' way of doing this?
now that you have extracted the cookie signature feature out of connect, I thought it would be better to build a module that uses that... that's why I wanted to know precisely about the possible cookie objects created.
there seems to be two possible cookie 'objects' set for cookies. either 'signedCookies' which happens when the secret is provided in the cookieParser or simply 'cookies' which is set if the session's middle get a secret...
this project seems to also cater for a 'secureCookies' object but I don't see that anywhere in connect/express source; it seems the distinction in only internal to connect/express and if one uses an https connection
the cookies are still exposed via one of the two 'cookie' or 'signedCookies' as mentioned above.
hope you can clear that one out for me and thanks again for all the quality projects.
regards,
thibaud.
tjholowaychuk
Oct 25, 2012, 11:20:17 AM10/25/12
to Express
hmm sorry yeah that session part is incorrect, not sure how that snuck
in there. It's preferred that session()
gets an explicit secret but either way is fine. We're going to keep
slowly moving those cookie utilities out
into npm so it becomes easier to work with them from other origins
On Oct 24, 1:09 pm, thibaud <thibaud.cummi...@gmail.com> wrote:
> on the migrating from 2.x to 3.x<https://github.com/visionmedia/express/wiki/Migrating-from-2.x-to-3.x> wiki
in there. It's preferred that session()
gets an explicit secret but either way is fine. We're going to keep
slowly moving those cookie utilities out
into npm so it becomes easier to work with them from other origins
On Oct 24, 1:09 pm, thibaud <thibaud.cummi...@gmail.com> wrote:
> on the migrating from 2.x to 3.x<https://github.com/visionmedia/express/wiki/Migrating-from-2.x-to-3.x> wiki
> it says:
> Use express.cookieParser('secret') instead of passing the secret to the
> express.session() middleware. The 'secret' option in theexpress.session() middleware
> has been removed.
>
> but pretty much every where else I don't see any confirmation of this.
> it seems it is rarely encouraged actually as examples for connect's session
> middleware always uses a secret in the session middleware but seldom in the
> cookieParser one...
>
> first off, I'd like to know the difference in between setting a secret in
> the cookieParser middleware or in the session middleware and which
> is preferred ?
>
> I would like to create a module for the usual problem of
> express/socket.io's session sharing business for the option suggested here<https://github.com/senchalabs/connect/issues/588#issuecomment-8203119> seems
> Use express.cookieParser('secret') instead of passing the secret to the
> express.session() middleware. The 'secret' option in theexpress.session() middleware
> has been removed.
>
> but pretty much every where else I don't see any confirmation of this.
> it seems it is rarely encouraged actually as examples for connect's session
> middleware always uses a secret in the session middleware but seldom in the
> cookieParser one...
>
> first off, I'd like to know the difference in between setting a secret in
> the cookieParser middleware or in the session middleware and which
> is preferred ?
>
> I would like to create a module for the usual problem of
> slightly odd.
> I feel it is a bit of a hack because a cookieParser first argument is
> intended to be a 'res' stream and it happens that socket.io's handshakeData
> has the same structure than the res stream; they both have a headers object
> which contain the cookies' objects.
> @tj do you also think of this as a slightly 'hacked' way of doing this?
>
> now that you have extracted the cookie signature<https://github.com/visionmedia/node-cookie-signature> feature
> I feel it is a bit of a hack because a cookieParser first argument is
> intended to be a 'res' stream and it happens that socket.io's handshakeData
> has the same structure than the res stream; they both have a headers object
> which contain the cookies' objects.
> @tj do you also think of this as a slightly 'hacked' way of doing this?
>
> out of connect, I thought it would be better to build a module that uses
> that... that's why I wanted to know precisely about the possible cookie
> objects created.
> there seems to be two possible cookie 'objects' set for cookies. either
> 'signedCookies' which happens when the secret is provided in the
> cookieParser or simply 'cookies' which is set if the session's middle get a
> secret...
> this<https://github.com/functioncallback/session.socket.io#cookie-lookup-p...> project
> that... that's why I wanted to know precisely about the possible cookie
> objects created.
> there seems to be two possible cookie 'objects' set for cookies. either
> 'signedCookies' which happens when the secret is provided in the
> cookieParser or simply 'cookies' which is set if the session's middle get a
> secret...
mgutz
Oct 25, 2012, 12:07:23 PM10/25/12
to expre...@googlegroups.com
FYI, `express --sessions` sets the secret through cookieParser()
Thibaud Cummings
Oct 25, 2012, 12:17:16 PM10/25/12
to expre...@googlegroups.com
@mguts thanks for the info, though I understand the express (1) is to go away soon. (I agree to that)
@tj okay thank you.
What about secureCookies, is there still a way of ending up with those?
@tj okay thank you.
What about secureCookies, is there still a way of ending up with those?
From: mgutz <mario.l....@gmail.com>
Sender: expre...@googlegroups.com
Date: Thu, 25 Oct 2012 09:07:23 -0700 (PDT)
ReplyTo: expre...@googlegroups.com
Subject: [Express-js] Re: wiki cookies/session confusion
--
You received this message because you are subscribed to the Google Groups "Express" group.
To view this discussion on the web visit https://groups.google.com/d/msg/express-js/-/_KBrV6J4-iMJ.
To post to this group, send email to expre...@googlegroups.com.
To unsubscribe from this group, send email to express-js+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/express-js?hl=en.
You received this message because you are subscribed to the Google Groups "Express" group.
To view this discussion on the web visit https://groups.google.com/d/msg/express-js/-/_KBrV6J4-iMJ.
To post to this group, send email to expre...@googlegroups.com.
To unsubscribe from this group, send email to express-js+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/express-js?hl=en.
mgutz
Oct 25, 2012, 12:26:34 PM10/25/12
to expre...@googlegroups.com, thibaud....@gmail.com
Actually that was a reminder for TJ. If sessions is the recommended way then the generator should set it through session.
Reply all
Reply to author
Forward
0 new messages