What should I use for secret.cookieParser ()?

Question

What should I use for secret.cookieParser ()?

The docs say this should be kept secret, but my code is posted on github.

Does app.use(express.cookieParser(crypto.randomBytes(64).toString())) , or should the secret be the same when the server restarts? Should I keep a secret on disk? How secret should be?

+6

security node.js cookies express

nornagon Jul 04 '13 at 9:30

source share

3 answers

This should be the same if you want to save sessions after a restart. The secret is used to verify session data on the server to prevent invalid cookie data. Perhaps you can write your random data to a file and read the secret from the file when the application starts, and if the file exists, you will not create a new random key.

+3

Bernhard Jul 04 '13 at 9:33

source share

The secret is used to parse and match the session cookie. If you change it after a reboot, then this will lead to the fact that previous sessions will be invalid, because the cookie will not be valid with a new secret.

However, in the event of theft of cookies, you might consider changing the privacy that protects you. It is impractical to keep a secret anywhere except where it is needed. The same with all secrets and salts, as access to them is not suitable for your safety.

+3

moka Jul 04 '13 at 9:35

source share

poshaughnessy · Accepted Answer · 2014-03-25T16:26:39+0000

To keep a secret secret, you can set it in an environment variable (for example, "COOKIE_SECRET"), and then you can:

 var cookieSecret = process.env.COOKIE_SECRET; app.use(express.cookieParser( cookieSecret ));

(Or, if you need a more complicated configuration setting, you can take a look at nconf . It combines configuration through environment variables, command line arguments, and flat files).

What should I use for secret.cookieParser ()?

More articles: