etherpad-lite icon indicating copy to clipboard operation
etherpad-lite copied to clipboard

Published 20 hours ago verified publisher icon ether

Cookie MAC key rotation

Open rhansen opened this issue 2 years ago • 1 comments

GHSA-w3g3-qf3g-2mqc would have been less severe if Etherpad's express-session code had followed the security best practice of rotating keys. express-session already has support for key rotation; we just need to take advantage of it.

rhansen avatar Jan 14 '22 03:01 rhansen

+1 for having rotating signing keys. If we consider sessionLifetime from your other PR, then keeping the old signing keys for this period seems to be okay, while rotating to new ones every day or something.

webzwo0i avatar Jan 14 '22 04:01 webzwo0i