Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default random cookie secret causes issues on multi-instance deploys #1147

Closed
michaelbromley opened this issue Oct 12, 2021 · 0 comments
Closed
Assignees
Labels
type: bug 🐛 Something isn't working

Comments

@michaelbromley
Copy link
Member

Describe the bug
In the default config, the cookie settings have the secret as a random value:

cookieOptions: {
secret: Math.random().toString(36).substr(3),
httpOnly: true,
},

This causes issues with multi-instance deploys, because unless the secret is explicitly set in the vendure-config, a different random secret will be used in each instance, meaning instance A won't be able to read cookies set by instance B and vice versa.

This is a cause of confusion as the reason for sessions not working across instances is hard to debug.

Possible solutions

2 possible solutions:

  1. Don't make the default value random. Use some hard-coded constant string. Need to research any security implications of doing this, since it is likely that most users will leave this unchanged.
  2. Expose the cookie secret setting as part of the @vendure/create config file template. This makes it clear that the setting exists and allows users to easily change it to something unique for their project.

Environment (please complete the following information):

  • @vendure/core version: 1.2.3
  • Nodejs version: any
  • Database (mysql/postgres etc): any
@michaelbromley michaelbromley added the type: bug 🐛 Something isn't working label Oct 12, 2021
@michaelbromley michaelbromley self-assigned this Oct 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug 🐛 Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant