Does session secret in nodejs does same thing as signed cookie?

Question

In express you setup session kinda like this:

app.use(express.session({
  store: store({...}),
  secret: 'topsecret'
}));

On reading up what secret does, I got this: protects against session hijacking by checking the fingerprint

which sounds very much like signed cookie : ensure that a value has not been tampered with. It's placed in a different object (req.signedCookies) to differentiate between the two

Is there a difference between two?

I understand signed cookie, hash is created with cookie value + secret and saved along values in cookie. This way you know if cookie values have been tampered with.

Answer 1

You are correct, the secret is used to sign the cookie so it can't be tampered. You can look at the source code on how express session serialises the cookie:

function setcookie(res, name, val, secret, options) {
  var signed = 's:' + signature.sign(val, secret);
  var data = cookie.serialize(name, signed, options);

  debug('set-cookie %s', data);

  var prev = res.getHeader('set-cookie') || [];
  var header = Array.isArray(prev) ? prev.concat(data) : [prev, data];

  res.setHeader('set-cookie', header)
}

Basically is signing it using a SHA-256, which generates a 32 byte hash.

There is also unsigncookie which verifies your cookie hasn't been tampered. Obviously it verifies against the same secret above used to sign it:

function unsigncookie(val, secrets) {
  for (var i = 0; i < secrets.length; i++) {
    var result = signature.unsign(val, secrets[i]);

    if (result !== false) {
      return result;
    }
  }

  return false;
}