-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#178: Feature request to encrypt session data stored in cookies #182
base: master
Are you sure you want to change the base?
Conversation
…ession data stored in the cookie. The encrypted data, along with the IV and AuthTag (where applicable) are encoded as a base64 string in the cookie data. A RangeError is thrown if the base64 encoded string exceeds the cookie max length of 4093 bytes, while the module exposes the 'encryptData' and 'decryptData' functions.
…object. This is used to pass the user defined options through to the crypto encode/decode functions
…are used as per the initialisation steps. Updated the 'formatOpts' function to use the defaults values, and added 'useCrypt' as an option, to cryptographically encode/decode the session data stored in the cookie. This uses the existing session storage in the cookie functionality, and only encodes the data when session store is set to cookie.
1 similar comment
I'd recommend https://github.com/nicokaiser/koa-encrypted-session for now, or you can write your own wrapper to use specific encrypt/decrypt methods. |
@dead-horse that one prescribes the algo, rather than letting you set it. I've set this one up with more flex around the algo you can pick, and whether you want to enable it. |
@dead-horse is this something that would be merged into the code base? |
It looks like this would be one way to resolve #181, which may otherwise be a critical security vulnerability. |
This references issue: #178.
When session data is stored in the cookie, it isn't cryptographically encrypted, and is therefore unsecure. The existing
encode
anddecode
functions simply pass the JSON object through to be stringified and converted to base64, and back again.This pull request adds functionality to use crypto-supported algorithms to encrypt their session data, to safely store in a cookie.
The IV length and key length checks are handled by
crypto
, while validation exists within the feature to verify correctly formatted encryption options, encrypted string, and data.A user can extend the
session.opts
object and define what algorithm they want to use, the initialization vector length, and the key, and set the flaguseCrypto
to true, and the library will handle the rest.eg.
A user can also use these same settings when initialising the
session
instance inApp
:Output:
I have also updated
index.js
to include default values for the accepted options. This ensures that values are always set, and that it provides a degree of information to the developer about what options there are.TODO
Add the following test cases
encode
anddecode
functionsencrypt
fileAlso: