dead-horse
commented
7 years ago With the default setting, cookies are all signed, which means user can not change(or fake) session from client side, we'll check the sign in the server side.
Closed superbogy closed 7 years ago
dead-horse
commented
7 years ago With the default setting, cookies are all signed, which means user can not change(or fake) session from client side, we'll check the sign in the server side.
The default setting put session in client cookie, is it safe? As I know cookie work in client and session just put an sessionId in client take session value in server side . koa-session without store put session value in cookie even if it is encoded but I think all from client is not worthy of trust.