Closed rmunn closed 3 years ago
I'd very much like to support another encryption implementation or generally switching to a securer one. I played around with @hapi/iron
at the beginning but since it doesn't support esm (yet) i had troubles with vite and kit. I will try to find a better solution.
I believe this is even worse than the original issue stated.
salteen xor
s each character separately by the entire key, which effectively makes any key length equivalent to having a key length of 1.
I would recommend not using this algorithm at all.
I've replaced salteen with aes-256, im thinking about maybe making the initializeSession and encryption async, but i have to test that a bit to see how performance behaves.
Currently, svelte-kit-cookie-session uses salteen as the encryption implementation. Looking at the salteen source, I see it's encrypting the data by XORing the cookie contents with the secret. XOR encryption is speedy, and fine during development, but trivial to crack (especially if the contents are quite a bit longer than the secret), so it's not safe to use in production. I'd like to be able to choose the encryption method used for the session cookies, e.g. to use
@hapi/iron
(or some other library) rather than salteen.