ayang21
commented
2 months ago I have tested it out already in codespaces, and there seems to be a difference in the number of cookies, which shouldn't be happening since the only thing that changed was generating a different key not creating a new cookie session.
But nonetheless, it does mean the cookie sessions are correctly running. I will research more to make sure the cookie session is the right one and that it is working properly
The constructor for ../pushkin/packages/pushkin-api/src/api.js sets up a cookieSession with a hard coded secret key to prevent tampering, however we never overwrite it with a more secure key in any of the files for the pushkin project. This doesn't really make the secret key secret, so I propose, in ../pushkin/templates/sites/basic/src/pushkin/api/src/index.js, we set a randomly generated secret key when calling the api constructor.