Open javiertury opened 7 years ago
Yea, I think this makes sense. There are likely several different attributes that one may like to be separate between the two cookies, like httpOnly
, secure
, and sameSite
to name a few. A generic way to just make any attribute different between the two cookie may be the best way forward to solve whatever the user's use-case would be.
I've created a new branch in which opts.signature
can override the rest of options set in opts
for the signature cookie. It should be backwards compatible. Here is what has changed with respect to master https://github.com/javiertury/cookies/commit/dd02e4c82af10ff35ecea9b700a21e89c4e03bf9. If you like it, we can start working on the new tests.
The old httpOnly="signature"
approach is at https://github.com/javiertury/cookies/tree/opts-signature
This new opts.signature
approach is at https://github.com/javiertury/cookies/tree/httpOnly-signature
This would also be useful for me, to avoid needless round trips to the server to get info that is already in the cookie. I wonder if there is any use case where the signature cookie should not be httpOnly? It is only useful to code that knows the secret, and if that code runs on the client then the signing seems useless.
@BertoldVdb, it's also difficult for me to find a use for both the cookie and its signature readable from javascript. Perhaps this argument can be used to simplify the interface. Make httpOnly a boolean that makes the cookie readable, while the signature is always httpOnly.
This is what I do at the moment in a privately patched version. I can submit a pull request if you want.
I encourage you to do so, let's see find out what maintainers think.
Being able to set/unset the HttpOnly attribute for the signature cookie independently would also make it a lot easier to implement "offline logout" (invalidating a session when the server is unreachable), by deleting one of the cookies in browser-side JS, without having to compromise security more than necessary. In my case I'd probably want the session cookie to be HttpOnly and the signature cookie not, but there are probably arguments for the opposite (like in the OP), so both possibilities would be welcome.
Hi,
I think it would be useful to have a new option for signed cookies such that the cookie is
httpOnly = false
but the signature ishttpOnly = true
. The case for this are Single Page Apps(SPA).httpOnly = true
).I propose to create a new option,
httpOnly = "signature"
, to achieve this. A quick way to implement this feature is this https://github.com/javiertury/cookies/commit/ffda6e4824b25f9661572ebc8f9014a7faf26bbeNote that I've used the weak comparison(==) operator.
EDIT: Better implementation