node.js – What is the sessions secret option?

node.js – What is the sessions secret option?

Yes, you should change it. A session secret in connect is simply used to compute the hash. Without the string, access to the session would essentially be denied. Take a look at the connect docs, that should help a little bit.

The secret is used to hash the session with HMAC:

https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L256

The session is then protected against session hijacking by checking the fingerprint against the hash with the secret:

https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L281-L287

node.js – What is the sessions secret option?

Leave a Reply

Your email address will not be published.