-
-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for multiple cookies with the same name from different domains #88
Comments
Yes, it currently only returns one. Please feel free to submit a pull request implementing the feature you're looking for! If you're not sure where to start, let us know and also feel free to describe what you think your implementation could be if you're not sure and need help on that :) |
Well, the obvious API would be to return an array if there's more than one... But this is terrible from a "breaking the API" perspective. You could add a Although I'm debating if it's easier to submit a PR or just rename this second cookie. :P |
I also have no idea how signed cookies would work here. I'd guess you'd have to check the cookie against every signature? |
Yea, an array is obvious, though an API that sometimes returns an array and sometimes a string, with that being completely controlled by an untrusted party usually ends badly, so would like to really have an API that only returns one or only returns an array (even if it's just an array of one). The One problem is I'm not sure how the key rotation will work with this, since when the key is getting updated, it needs to set the new |
So the cookies are already checked against every signature, the purpose is key rotation. Then when the cookie is using an outdated key, the new |
RFC 6265 says:
Which is... the opposite of helpful. :) Although this RFC makes no mention of signed cookies, and a quick five minutes of googling hasn't found me an RFC that does. |
Signed cookies here isn't going to be an RFC. How it works is that this module always sets two cookies: one is |
Oh, I see, the signature is a custom thing. Yeah, so you can't rely on order - you just have to check them all. And yes, key rotation is going to be painful. :P You would need to set the cookie with the same domain and path, or else you risk blowing away the wrong signature. And since these aren't included in what's passed in, there's no way to know them. I think you're existing signature implementation is broken if you're setting domains, though, because key rotation always sets a cookie with no domain.
In the single "get" case, you can pass the same options to `get` as you pass to `set`, and then so long as the keys from different domains are signed with different keys, it'll work out. I don't think there's a sensible way to do multi-get here.
|
@jwalton @dougwilson But what about the domains? Both |
@raqystyle yes, exactly - one has the "foo.server.com" domain, and one has the ".server.com" domain (meaning it's sent to any server in *.server.com). Unfortunately, the client doesn't bother to send the domain the cookie was set for in the request. |
I'm having a related problem - I want to clear a particular cookie key both for an unspecified domain and a specified domain at the same time, but I'm finding that this library will not actually create |
Let's say you have a website at "foo.server.com", and you set a cookie called "session" with the domain "foo.server.com". Then you set a second cookie called "session" with the domain ".server.com". You might expect one cookie to overwrite the other, but actually what happens is the browser will send you both cookies. It seems like
cookies
right now can only parse the first one, but there are use cases where you want to retrieve both of them.The text was updated successfully, but these errors were encountered: