Don't throw on invalid cookies

[bkw]

Since cookies are user input, we shouldn't throw an exception if the cookie does not pass our tests.
Imho ignoring it is sufficient.

Maybe we could emit an event for debugging purposes, but certainly not an error.

[lloyd]

+1. As it stands now, client code must clumsily work around it at a higher level, something like:

server.use(express.cookieParser());

var cookieSessionMiddleware = sessions({
    secret: COOKIE_SECRET,
    session_key: COOKIE_KEY,
    path: '/'
});

server.use(function(req, resp, next) {
    try {
        cookieSessionMiddleware(req, resp, next);
    } catch(e) {
        console.log("invalid cookie found: ignoring");
        delete req.cookies[COOKIE_KEY];
        cookieSessionMiddleware(req, resp, next);
    }
});

[hiddentao]

+1

[jasoo24]

+1

Is this project still being worked on? Any better alternatives?

[lloyd]

We're now using benadida/node-client-sessions - fwiw

--lloyd

On May 31, 2012, at 1:41 AM, Jason Arorareply@reply.github.com wrote:

+1

Is this project still being worked on? Any better alternatives?

---

Reply to this email directly or view it on GitHub:
#9 (comment)

[lloyd]

source: https://github.com/benadida/node-client-sessions

in npm: http://search.npmjs.org/#/client-sessions