Comments (14)
DanWahlin
commented on April 27, 2024
I hit this as well. Any plans on allowing support for "_"?
from cookie-session.
dougwilson
commented on April 27, 2024
yes, in 2.0.0
from cookie-session.
DanWahlin
commented on April 27, 2024
Thanks - appreciate the info.
from cookie-session.
dougwilson
commented on April 27, 2024
no problem. i need to schedule some tlc time with this module, it seems :)
from cookie-session.
DanWahlin
commented on April 27, 2024
I'm happy either way - can't complain about modules that help jump-start my project. :-) But, it'd definitely be nice to get that in there for sure. The Lusca project uses a session key that starts with "_" so CSRF ends up being broken without being able to get back to the key. We're hoping they'll make the key configurable.
from cookie-session.
dougwilson
commented on April 27, 2024
you could always use csurf for the csrf middleware part :) https://github.com/expressjs/csurf
from cookie-session.
dougwilson
commented on April 27, 2024
app.use(lusca.csrf());is pretty much the same as the following. it looks like the lusca csrf was a rip off of the of the older csurf, but csurf has continued to evolve.
app.use(csurf())
app.use(function (req, res, next) {
req.locals._csrf = req.csrfToken() // this is to mimic default lusca.csrf behavior
})from cookie-session.
dougwilson
commented on April 27, 2024
you can have csurf store the secret in the cookies directly (i.e. built-in double-submit cookie support) without even needing to add the secret into your session cookie:
app.use(csurf({ cookie: true }))from cookie-session.
DanWahlin
commented on April 27, 2024
Good info - thanks. I'll try some of that. I'm not actually using Lusca directly....KrakenJS is. I think the csurf option could work around that though.
from cookie-session.
dougwilson
commented on April 27, 2024
Gotcha. Yea, their thing has configuration options so you should be able to turn off the appsec csrf option.
from cookie-session.
ForbesLindesay
commented on April 27, 2024
Lusca is also updating to remove the underscore (or at least add an option) so well so that should help.
csurf is cool but I also use all the other lusca features and prefer to do all the security in one place if possible.
from cookie-session.
DanWahlin
commented on April 27, 2024
Yeah - caught that thread last night as well and am glad they'll be updating it. It definitely has some other options that I like as well.
from cookie-session.
dougwilson
commented on April 27, 2024
No problem. I was just trying to throw out solutions that would help you immediately so youo didn't have to wait for one of the modules to eventually update :)
from cookie-session.
DanWahlin
commented on April 27, 2024
Appreciate it Doug - thanks.
from cookie-session.
Related Issues (20)
- Session does not get stored if keys is not an array HOT 3
- What am I doing wrong? [question] HOT 1
- Clearing session does not remove cookies HOT 8
- Generating unique session.sig after logout/login HOT 3
- Use cookie-session as non middleware HOT 2
- Not working with axios (chrome) but working with Postman HOT 10
- Document: Ambiguity in Signature Documentation HOT 4
- sameSite no longer defaults to 'None' when undefined HOT 4
- session cookie value is exceedingly long and fails Set-Cookie with invalid syntax HOT 2
- secureProxy option to be able to use with non-Express servers behind SSL proxy HOT 1
- Suggestion: a custom name instead of req.session HOT 2
- Update dependency from [email protected] to [email protected] HOT 3
- Is there a risk when someone modifies the userId in the cookie? HOT 2
- Session cookie not sent over from server when using Firefox HOT 4
- Problem using with passport 0.6.0: session.regenerate is not a function HOT 7
- flag Priority=High
- encrypt cookies
- The link to a list of browser cookie limits is dead
- Larger cookies with compression
- cookie options not being set
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-session.