-
-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request]: Allow signing of sessions #1156
Comments
The benefit of signing cookies is minimal so I'm not sure if it's worth supporting it. I'm not a very big fan of using callback functions either: lucia({
sessionCookie: {
parseSignedCookie: (cookie: string) => {
const parsedCookie = parse(cookie);
// I really don't like requiring `if` statements inside options
if (parsedCookie === null) return null;
if (parsedCookie.expires > Date.now()) return null;
return parsedCookie.sessionId;
},
signCookie: (session: Session) => {
return signCookie(session.sessionId, session.idleExpires);
}
}
}) Lucia already exposes low level APIs (e.g |
I think it would already be sufficient to expose config option In your example, in the case |
I'm going to keep this open since I think it's worth having the discussion (for v4), but it won't be implemented in the near feature (within v3.x) since we'll have to introduce breaking changes. |
I just contributed to the bounty on this issue. Each contribution to this bounty has an expiry time and will be auto-refunded to the contributor if the issue is not solved before then. To make this a public bounty or have a reward split, the maintainer can reply to this comment. |
This is easy to implement by just extending the Lucia class and using the import cookieSignature from 'cookie-signature';
import { Cookie, Lucia } from 'lucia';
const SIGNING_SECRET = process.env.SESSION_COOKIE_SECRET;
export default class LuciaExtended extends Lucia {
createSignedSessionCookie(sessionId: string): Cookie {
const signedCookie = cookieSignature.sign(sessionId, SIGNING_SECRET);
return this.createSessionCookie(signedCookie);
}
readSignedSessionCookie(cookie: string): string | null {
const unsigned = cookieSignature.unsign(cookie, SIGNING_SECRET);
if (!unsigned) return null;
return unsigned;
}
} |
Description
While it is not a huge increase of security, it is generally advised to hash/sign session ids before sending them out to the user. The main advantages are:
Implementation: See e.g. https://github.com/expressjs/session/blob/1010fadc2f071ddf2add94235d72224cf65159c6/index.js#L541-L550 in express-session or unjs/h3#315 in h3.
Discussions:
The text was updated successfully, but these errors were encountered: