cookies icon indicating copy to clipboard operation
cookies copied to clipboard
verified publisher icon pillarjs

default signed or not when keys present

Open dead-horse opened this issue 9 years ago • 5 comments

https://github.com/pillarjs/cookies/blob/master/lib/cookies.js#L74 https://github.com/pillarjs/cookies/blob/master/lib/cookies.js#L92

const cookies = new Cookies(req, res, ['key', 'keys']);

cookies.set('key', 'value'); // won't be signed
cookies.set('key', 'value', { maxAge: 100 }); // will be signed

not sure if we should make them all be signed or not be signed, and both will break people's code.

dead-horse avatar Nov 01 '16 09:11 dead-horse

Hi @dead-horse yes, both of those should behave the same (signed in this case), so them behaving different depending on the presence of the options is a bug.

dougwilson avatar Nov 12 '16 21:11 dougwilson

The docs would suggest the correct functionality is that the sig cookie should only be there for an explicit signed: true.

dougwilson avatar Nov 12 '16 21:11 dougwilson

Fix this bug in the next major version, yep.

fengmk2 avatar Nov 18 '16 17:11 fengmk2

I was just re-looking at this issue, and looked at the original implementation in https://github.com/pillarjs/cookies/commit/b1322b6a7b5dc75a5a7d7662c99de65943cee01e and the discussion in #10 and it looks like the intended behavior is: honor the provided signed option, and default to signed if the library has keys, otherwise unsigned. The commit shows where the mistake came from in the original implementation, where the opts should have been removed in that second if.

dougwilson avatar Jan 29 '17 06:01 dougwilson

For now, I removed the fix on master to release one more 0.x version, and will defer this to the 1.x release due to breaking issues.

dougwilson avatar Feb 19 '17 02:02 dougwilson