What are "signed" cookies in connect/expressjs?

node.jsCookiesExpressConnect

node.js Problem Overview

I am trying to figure out what "signed cookies" actually are. There isn't much on the net, and if I try this:

app.use(express.cookieParser('A secret'));

But still... Cookies are still 100% normal on the browser, and I don't really know what "signed" is here (I was sort of hoping to "see" some weirdness on the client, something like the data encrypted using "A secret" as salt?)

The documentation says (https://github.com/expressjs/cookie-parser):

> Parse Cookie header and populate req.cookies > with an object keyed by the cookie names. Optionally > you may enabled signed cookie support by passing > a secret string, which assigns req.secret so > it may be used by other middleware.

Does anybody know?

Merc.

node.js Solutions

Solution 1 - node.js

The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.

It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.

If it does not match, then it will give an error.

If you want to hide the contents of the cookie as well, you should encrypt it instead (or just stores it in the server side session). I'm not sure if there is middleware for that already out there or not.

Edit

And to create a signed cookie you would use

res.cookie('name', 'value', {signed: true})

And to access a signed cookie use the signedCookies object of req:

req.signedCookies['name']

Solution 2 - node.js

Yup like emostar mentions it's simply to ensure that a value has not been tampered with. It's placed in a different object (req.signedCookies) to differentiate between the two, allowing the developer to show intent. If they were stored in req.cookies along with the others someone could simply craft an unsigned cookie of the same name, defeating the whole purpose of them.

Solution 3 - node.js

I have been searching pretty extensive for a good answer to this... And looking at the source code of cookie-signature, that is used by cookie-parser to sign the signed cookies have given me a better understanding of what a signed cookie is.

val is of course the value of the cookie, and secret is the string you add as option to cookie-parser

https://github.com/visionmedia/node-cookie-signature/blob/master/index.js#L16

Solution 4 - node.js

I used cookie-parser 1.4.4 version.

I could add signed cookies and signed cookie encrypted in browser, If i try to edit signed cookie using editThisCookie (chrome plugin) then cookie-parser detect external change and then set false as value.

response.cookie('userId',401,{signed: true})

Response header in browser,appear as

Set-Cookie: empId=s%3A101.US2oSV4TSvfkvvEQ5fj1sXsjj8rNxx2ph4VdHNTuKX8; Path=/

Get signed cookie

request.signedCookies

https://gist.github.com/dineshbalaji/607d166f0240f932a5cb02099b0ece4c

Categories
Recommended node.js Solutions
Recommended Cookies Solutions
Recommended Express Solutions
Recommended Connect Solutions

Previous Solution:

How do I setup a SSL certificate for an express.js server?

node.jsExpressSsl Certificate

Next Solution:

Getting "cannot find Symbol" in Java project in IntelliJ

JavaIntellij Idea

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionMercView Question on Stackoverflow
Solution 1 - node.jsstaackuser2View Answer on Stackoverflow
Solution 2 - node.jsTJ HolowaychukView Answer on Stackoverflow
Solution 3 - node.jsAnders ÖstmanView Answer on Stackoverflow
Solution 4 - node.jsDineshView Answer on Stackoverflow