Closed m0dch3n closed 2 years ago
Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different files, create a new repository on GitHub and add a link to that.
https://github.com/m0dch3n/session/commit/33438bebe16dc1de8d9f6d4f9d0d5e04ddb2a135
Here is already a possible solution, I'll setup a repo, where you can test the situation
@mcollina
here is an example
https://github.com/CeasyApp/fastify-typescript-template
Just refresh / and you'll see each time a new sessionId...
If you turn signed
to false
, everything works fine and a new session is not generated each time, because the session plugin can unsign itself the cookie correctly
Having it true, cause as mentioned the double signing, which on the session decryption causes a new session...
I created a PR here too... @mcollina Maybe you can add the test for this ? I unfortunately need now to move forward with my project...
I've submitted a new PR implementing a new test alongside @m0dch3n's fix. I believe that should cover it
Unfortunately this issue exists in version 10.8.0
. It returned in version 10.0.0
.
Prerequisites
Fastify version
3.0.0
Plugin version
6.4.0
Node.js version
v16.13.2
Operating system
macOS
Operating system version (i.e. 20.04, 11.3, 10)
12.3
Description
Using
signed = true
in fastify-cookie options causes that the sessionId is signed twice, because we pass the encryptedSessionId already...https://github.com/fastify/session/blob/73a4675b795e8ad3d020d5cd43de78374c09f8aa/lib/fastifySession.js#L126-L130
Once with the secret of
@fastify/session
and once with the secret offastify-cookie
However on the decrypting side, we try to only decrypt the session encryption, but not the cookie encryption... https://github.com/fastify/session/blob/73a4675b795e8ad3d020d5cd43de78374c09f8aa/lib/fastifySession.js#L46
This causes that each time we generate a new session, because decryption fails with
false
Steps to Reproduce
Enable cookie signing on fastify-cookie plugin...
Expected Behavior
No response