Open tobiasdiez opened 9 months ago
The benefit of signing cookies is minimal so I'm not sure if it's worth supporting it. I'm not a very big fan of using callback functions either:
lucia({
sessionCookie: {
parseSignedCookie: (cookie: string) => {
const parsedCookie = parse(cookie);
// I really don't like requiring `if` statements inside options
if (parsedCookie === null) return null;
if (parsedCookie.expires > Date.now()) return null;
return parsedCookie.sessionId;
},
signCookie: (session: Session) => {
return signCookie(session.sessionId, session.idleExpires);
}
}
})
Lucia already exposes low level APIs (e.g Auth.validateSession()
), and I'd rather have users build on top of it instead of hacking into Lucia's internals.
I think it would already be sufficient to expose config option secrets
(an string array). If this is passed, lucia internally signs the session id in the cookie.
In your example, in the case if (parsedCookie === null) return null;
you probably also want to log the request - since it means someone tampered with the cookie.
I'm going to keep this open since I think it's worth having the discussion (for v4), but it won't be implemented in the near feature (within v3.x) since we'll have to introduce breaking changes.
I just contributed to the bounty on this issue.
Each contribution to this bounty has an expiry time and will be auto-refunded to the contributor if the issue is not solved before then.
To make this a public bounty or have a reward split, the maintainer can reply to this comment.
Description
While it is not a huge increase of security, it is generally advised to hash/sign session ids before sending them out to the user. The main advantages are:
Implementation: See e.g. https://github.com/expressjs/session/blob/1010fadc2f071ddf2add94235d72224cf65159c6/index.js#L541-L550 in express-session or https://github.com/unjs/h3/pull/315 in h3.
Discussions: