Closed TLKG closed 3 years ago
Do we support key rotation?
Support for key rotation is not designed into this library. The value returned by .sign()
does not include any metadata regarding which secret was signed with, at least not obviously/intentionally.
how to check if the cookie is tampered?
unsign
will return false
if the cookie is tampered relative to the provided secret (key).
Putting these together, you could perhaps implement key rotation yourself: if the cookie cannot be unsigned with the keyForSetting
you could try again with key1ForGetting
etc. in your own loop. I do not know if this is a recommended practice or not; there certainly would be drawbacks to accepting cookies signed by not just new but also (potentially compromised? otherwise why were they rotated?) old keys.
[Closing this because I think I've answered all your questions but lmk if not…]
Good answer, thank you and appreciate it!
Do we support key rotation? That is
Also how to check if the cookie is tampered? Thank you