0

So after going to quite a bit of cryptography stuff I am searching and playing with applications. I am following an example from express.js to set up a session cookie (I simplified it slightly).

var cookieSession = require('cookie-session');
var app = require('express')();

app.use(cookieSession({ secret: 'manny is cool' }));

app.use(count);

function count(req, res) {
  req.session.count = (req.session.count || 0) + 1
  res.send('viewed ' + req.session.count + ' times\n')
}

app.listen(3000);

As I understand it, the cookieSession middleware will first set a cookie in the request object, and probably append it to the response object.

Questions:

  • Is it the case that the cookie is just set in the request object and somehow grabbed by express and set in the response headers? (The header is the only piece I do not have control as I am only sending the body data i.e the webpage).
  • Is this cookie encrypted using symmetric cryptography, using the "secret"?
  • Is the cookie just signed ? But in this case, how ?

This is what I see in the response:

ETag: W/"f6-gYaAvd5rsyGl69Veyzj1ozbPCdQ"
Set-Cookie: session=eyJjb3VudCI6Nn0=; path=/; httponly
Set-Cookie: session.sig=oKOAVxVCrtN5n3kp7Q5NaQfveLg; path=/; httponly

And the browser is sending

Cookie: session=eyJjb3VudCI6NX0=; session.sig=bVsuneRNxfv6AGbAXym-KdoSq50

An interesting thing is that even if I disable cache in the Firefox Network Tab, the same cookie session is still there! There is no reset (the count increases). I thought that would not be the case.

Mah Neh
  • 84
  • 6
  • Your session cookie is signed, not encrypted. Copy the value `eyJjb3VudCI6Nn0` and when you base64 decode it, you will get `{"count":6}`. Cookies are not part of your cache, clearing the cache will not cookies. – milo526 May 07 '22 at 11:44
  • Interesting, thanks. Do you know how does that signing work ? Is this decoded by the server into the secret message? @milo526 – Mah Neh May 07 '22 at 13:14

0 Answers0