Encrypt session when using custom session stores

[BitPatty]

Describe the problem you'd like to have solved

When using a custom session store, sensitive user information may be stored in plaintext. The application should not have direct access to this information outside the context of a request.

Describe the ideal solution

The library should allow for encrypted sessions with a per-session generated secret and/or IV that is passed to the client together with the session id.

Alternatives and current work-arounds

Current work-around is to override the session.genid option to serialize both the session id and an IV and to use a custom parser in the session.store option to map it to the according session in the session store.

Additional information, if any

-

[adamjmcgrath]

Hi @BitPatty - thanks for raising this

The session store implementation is pretty lightweight at the moment and has the extensibility points for you to add this yourself should you wish to (as you described in your workaround).

I'm not against adding this as a feature in the future, and happy to look at a PR, so will leave this open as a possible enhancement.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[BitPatty]

Bump

[adamjmcgrath]

@BitPatty - we're not looking to add this ourselves so closing.

In general, we tend to use express-session as a guide for feature parity and since this isn't included in that either, we recommend you continue to use the library's extensibility points to do your workaround.