cookieParser.signedCookie seems to not work properly about cookie-parser HOT 5 CLOSED

Nowadays you need to decode the cookie value using decodeURIComponent() before using any of the following functions:

1. cookieParser.JSONCookie
2. cookieParser.JSONCookies (decodeURIComponent for each cookie)
3. cookieParser.signedCookie
4. cookieParser.signedCookies (decodeURIComponent for each cookie)

Because it doesn't decode itself inside the function, now they just check if it starts with 'j:' or 's:' (before, when this issue was created, it required an encodedURI and it would check if it starts with 'j%3A', for JSONCookie, or 's%3A', for signedCookie, and then both of these functions would decode the input to continue their codes)

these prints are from the actual expressjs/cookie-parser source code

Conclusion:
You need to use decodeURIComponent() before using JSONCookie(), JSONCookies(), signedCookie() or signedCookies() otherwise it will return the input value.

Example:

var cookieParser = require('cookie-parser')
const signedCookieValue = 's%3Accc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10' // FROM res.cookie('bbbbb', 'ccc', {signed: true})

const decodedSignedCookieValue = decodeURIComponent(signedCookieValue) // RESULT  s:ccc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10

// CORRECT WAY
cookieParser.signedCookie(decodedSignedCookieValue, 'SECRET') //RESULT ccc

// INCORRECT WAY
cookieParser.signedCookie(signedCookieValue, 'SECRET') //RESULT s%3Accc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10

from cookie-parser.

Taking the cookie from the last screenshot (please if you could send as text, as it look a really long time to type it out correctly :) ), here is the flow of unsigning the cookie, as an example:

$ node -pe 'var cookie = "connect.sid=s%3A1bdf23c0-9c30-93df-5147-930ece4f2f2b.Mx1bO5zIKawNmWtEZshwHG7BY%2BVCikhaUvrqWsY3TRU"; var sid = require("cookie").parse(cookie)["connect.sid"]; require("cookie-parser").signedCookie(sid, "foobarbaz1234567foobarbaz1234567")'
1bdf23c0-9c30-93df-5147-930ece4f2f2b

Basically:

(1) Parse the cookie header and get connect.sid value
(2) Pass to signedCookie with signature

from cookie-parser.

Somewhere in your code the value you are trying to unsign has been truncated. The value you're showing starts with %3A but that is not a valid signed cookie; there should be a s in front of that value (i.e. it should start with s%3A to signal it's a signed cookie.

from cookie-parser.

You can see in the last screenshots you provided, the s is there at the start of the value, so not sure where you are loosing that character in your process.

from cookie-parser.

Somewhere in your code the value you are trying to unsign has been truncated. The value you're showing starts with %3A but that is not a valid signed cookie; there should be a s in front of that value (i.e. it should start with s%3A to signal it's a signed cookie.

@dougwilson You're totally right.. The first screenshot is the result of my last attempt to understand why I can't decode the signed cookie.. I was trying to remove some characters at the beginning of the original string, thinking it will resolve somehow my issue. But I forgot to put back the original string when I've created this issue. But I can assure you there was an 's' character at the beginning of the string. It's a simple forgetfulness.. My bad..

But the last screenshot, like you said (sorry ..I will send next time text string with it next time :-)..I understand it can take a while to type it correctly...), is a perfect example of why it looks to not work properly.

But When I use the "cookie" package with the "cookie-parser" package, it looks to work as expected.

So thank you very much for your answer and your help. I guess the "cookie" package was what I was missing to resolve my issue.

from cookie-parser.