Comments (5)
Nowadays you need to decode the cookie value using decodeURIComponent()
before using any of the following functions:
- cookieParser.JSONCookie
- cookieParser.JSONCookies (decodeURIComponent for each cookie)
- cookieParser.signedCookie
- cookieParser.signedCookies (decodeURIComponent for each cookie)
Because it doesn't decode itself inside the function, now they just check if it starts with 'j:' or 's:' (before, when this issue was created, it required an encodedURI and it would check if it starts with 'j%3A', for JSONCookie, or 's%3A', for signedCookie, and then both of these functions would decode the input to continue their codes)
these prints are from the actual expressjs/cookie-parser source code
Conclusion:
You need to use decodeURIComponent() before using JSONCookie(), JSONCookies(), signedCookie() or signedCookies() otherwise it will return the input value.
Example:
var cookieParser = require('cookie-parser')
const signedCookieValue = 's%3Accc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10' // FROM res.cookie('bbbbb', 'ccc', {signed: true})
const decodedSignedCookieValue = decodeURIComponent(signedCookieValue) // RESULT s:ccc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10
// CORRECT WAY
cookieParser.signedCookie(decodedSignedCookieValue, 'SECRET') //RESULT ccc
// INCORRECT WAY
cookieParser.signedCookie(signedCookieValue, 'SECRET') //RESULT s%3Accc.4qKyaFIB4mq9fpZViqe1L1hiHbbGfRTZDZHhFtTvI10
from cookie-parser.
Taking the cookie from the last screenshot (please if you could send as text, as it look a really long time to type it out correctly :) ), here is the flow of unsigning the cookie, as an example:
$ node -pe 'var cookie = "connect.sid=s%3A1bdf23c0-9c30-93df-5147-930ece4f2f2b.Mx1bO5zIKawNmWtEZshwHG7BY%2BVCikhaUvrqWsY3TRU"; var sid = require("cookie").parse(cookie)["connect.sid"]; require("cookie-parser").signedCookie(sid, "foobarbaz1234567foobarbaz1234567")'
1bdf23c0-9c30-93df-5147-930ece4f2f2b
Basically:
(1) Parse the cookie header and get connect.sid
value
(2) Pass to signedCookie with signature
from cookie-parser.
Somewhere in your code the value you are trying to unsign has been truncated. The value you're showing starts with %3A
but that is not a valid signed cookie; there should be a s
in front of that value (i.e. it should start with s%3A
to signal it's a signed cookie.
from cookie-parser.
You can see in the last screenshots you provided, the s
is there at the start of the value, so not sure where you are loosing that character in your process.
from cookie-parser.
Somewhere in your code the value you are trying to unsign has been truncated. The value you're showing starts with
%3A
but that is not a valid signed cookie; there should be as
in front of that value (i.e. it should start withs%3A
to signal it's a signed cookie.
@dougwilson You're totally right.. The first screenshot is the result of my last attempt to understand why I can't decode the signed cookie.. I was trying to remove some characters at the beginning of the original string, thinking it will resolve somehow my issue. But I forgot to put back the original string when I've created this issue. But I can assure you there was an 's' character at the beginning of the string. It's a simple forgetfulness.. My bad..
But the last screenshot, like you said (sorry ..I will send next time text string with it next time :-)..I understand it can take a while to type it correctly...), is a perfect example of why it looks to not work properly.
But When I use the "cookie" package with the "cookie-parser" package, it looks to work as expected.
So thank you very much for your answer and your help. I guess the "cookie" package was what I was missing to resolve my issue.
from cookie-parser.
Related Issues (20)
- Update cookie parser to allow the new attribute partitioned HOT 1
- Reading duplicated cookies HOT 5
- Docs on signedCookie seem to be off HOT 1
- How to sign a cookie manually? HOT 1
- create and remove cookies HOT 1
- Specific cookie kinda broken HOT 7
- How to change/set domain, seems impossible? HOT 1
- Cookies values with "j:" prefix should not be parsed as JSON by default HOT 4
- signedCookie is unlikely to be used correctly HOT 1
- How do I clear the cookie(s)? HOT 1
- Inaccurate docs about JSONCookie, JSONCookies, signedCookie and signedCookies HOT 3
- Clear Cookies Feature? HOT 1
- My cookies automatically expire after 30 minutes HOT 1
- Get Metadata from cookie HOT 1
- [ FEATURE ] Support for ES6 imports HOT 1
- Provide types for the cookies in typescript HOT 5
- cookie 0.5.0 HOT 2
- Cookies not setting in production HOT 5
- Node.js v20.9.0 fetch API can't get set-cookie header set by cookie-parser HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-parser.