Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add encryption as a new feature/option to the cookies provided with secret #5995

Open
sarraf1996 opened this issue Sep 28, 2024 · 2 comments
Labels

Comments

@sarraf1996
Copy link

sarraf1996 commented Sep 28, 2024

I have a query and it's related to encryption of the cookies. As of now in case of signed cookies, I can see express module is using the cookie value as it is without tampering it and only appending HMAC encoding technique to sign the cookie using cookie-signature module.

We can also implement cookie encryption for localhost development (http) as a new feature/option having a secret supplied by the user which will provide a more secured way of cookie creation and transmission from server to client and vice versa.

Is this feature/option already in draft or if anyone has been already assigned? In case if not, could you assign this work to me so that I will work towards it and contribute to this module.

Let me know if this new feature/option works for you?

@sarraf1996 sarraf1996 changed the title Add encryption as a new feature to the signed cookies Add encryption as a new feature/option to the signed cookies Sep 28, 2024
@sarraf1996 sarraf1996 changed the title Add encryption as a new feature/option to the signed cookies Add encryption as a new feature/option to the cookies provided with secret Sep 28, 2024
@IamLizu IamLizu added ideas and removed question labels Nov 12, 2024
@IamLizu
Copy link
Member

IamLizu commented Nov 12, 2024

cc: @expressjs/express-tc

@wesleytodd
Copy link
Member

We would for sure accept and review a PR for this. Although I am not sure I understand why local development would need this feature.

secret supplied by the user which will provide a more secured way of cookie creation and transmission from server to client and vice versa.

The point here in local development is that the request never leaves your machine, so I don't think I understand the need for this in that case. You can already steal or modify your own cookies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants