I am using Passport.js with Koa, and I noticed that when a session cookie is generated, it is called koa:sess and contains the session information encoded as Base64. However, there is another cookie called koa:sess.sig, and its purpose is not obvious. My guess would be that it is intended to stop an attacker from spoofing the session (since the koa:sess cookie just contains the user ID), is this the case?
Asked
Active
Viewed 2,470 times
5
laptou
- 6,389
- 2
- 28
- 59
-
1I had a similar question and found this useful: https://stackoverflow.com/questions/46859103/how-can-i-access-cookie-session-from-client-side – HunterLiu Aug 06 '18 at 02:47
1 Answers
1
From the documentation:
signed: a boolean indicating whether the cookie is to be signed (false by default). If this is true, another cookie of the same name with the .sig suffix appended will also be sent, with a 27-byte url-safe base64 SHA1 value representing the hash of cookie-name=cookie-value against the first Keygrip key. This signature key is used to detect tampering the next time a cookie is received.
desertnaut
- 57,590
- 26
- 140
- 166
xu liu
- 11
- 1