etherpad-lite
etherpad-lite copied to clipboard
Cookie MAC key rotation
GHSA-w3g3-qf3g-2mqc would have been less severe if Etherpad's express-session
code had followed the security best practice of rotating keys. express-session
already has support for key rotation; we just need to take advantage of it.
+1 for having rotating signing keys. If we consider sessionLifetime
from your other PR, then keeping the old signing keys for this period seems to be okay, while rotating to new ones every day or something.