New option httpOnly = "signature"

[javiertury]

Hi,

I think it would be useful to have a new option for signed cookies such that the cookie is httpOnly = false but the signature is httpOnly = true. The case for this are Single Page Apps(SPA).

• Store the authentication(session/username...) data in a cookie. An XSS attack can steal the cookie but not the signature(httpOnly = true).
  • If the server checks the signature, the cookie without the signature is useless for authentication.
• The client SPA can read the cookie to see if there is an active login, and depending on the setup, which user is logged in.
  • No need to query the server to know if a user is logged in. Provides an easier/cheaper way to keep the local auth state consistent in the SPA

I propose to create a new option, httpOnly = "signature", to achieve this. A quick way to implement this feature is this javiertury@ffda6e4

Note that I've used the weak comparison(==) operator.

EDIT: Better implementation

[dougwilson]

Yea, I think this makes sense. There are likely several different attributes that one may like to be separate between the two cookies, like httpOnly, secure, and sameSite to name a few. A generic way to just make any attribute different between the two cookie may be the best way forward to solve whatever the user's use-case would be.

[javiertury]

I've created a new branch in which opts.signature can override the rest of options set in opts for the signature cookie. It should be backwards compatible. Here is what has changed with respect to master javiertury@dd02e4c. If you like it, we can start working on the new tests.

The old httpOnly="signature" approach is at https://github.com/javiertury/cookies/tree/opts-signature
This new opts.signature approach is at https://github.com/javiertury/cookies/tree/httpOnly-signature

[BertoldVdb]

This would also be useful for me, to avoid needless round trips to the server to get info that is already in the cookie. I wonder if there is any use case where the signature cookie should not be httpOnly? It is only useful to code that knows the secret, and if that code runs on the client then the signing seems useless.

[javiertury]

@BertoldVdb, it's also difficult for me to find a use for both the cookie and its signature readable from javascript. Perhaps this argument can be used to simplify the interface. Make httpOnly a boolean that makes the cookie readable, while the signature is always httpOnly.

[BertoldVdb]

This is what I do at the moment in a privately patched version. I can submit a pull request if you want.

[javiertury]

I encourage you to do so, let's see find out what maintainers think.

[noinkling]

Being able to set/unset the HttpOnly attribute for the signature cookie independently would also make it a lot easier to implement "offline logout" (invalidating a session when the server is unreachable), by deleting one of the cookies in browser-side JS, without having to compromise security more than necessary. In my case I'd probably want the session cookie to be HttpOnly and the signature cookie not, but there are probably arguments for the opposite (like in the OP), so both possibilities would be welcome.