What is the session's "secret" option?

node.js session connect

I don't know anything about cryptography. I'm wondering what the session secret is.

I see code like this:

app.use(express.session({
  store: mongoStore({
    url: app.set('db-uri')
  }),
  secret: 'topsecret'
}));

What is the secret and should I change it?


Solution 1:

Yes, you should change it. A session secret in connect is simply used to compute the hash. Without the string, access to the session would essentially be "denied". Take a look at the connect docs, that should help a little bit.

Solution 2:

The secret is used to hash the session with HMAC:

https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L256

The session is then protected against session hijacking by checking the fingerprint against the hash with the secret:

https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L281-L287

Related

C++ IDE for Macs [closed]
Parse config files, environment, and command-line arguments, to get a single collection of options
How do you tell the Visual Studio project type from an existing Visual Studio project
What does the & symbol in powershell mean?
How to create a new java.io.File in memory? [duplicate]
How to RedirectToAction in ASP.NET MVC without losing request data
React / Redux and Multilingual (Internationalization) Apps - Architecture
Weird "[]" after Java method signature
Assigning code to a variable
Understanding scala enumerations
Avoiding if statement inside a for loop?
How to downgrade python from 3.7 to 3.6