Skip to content

fix: resolve #108 - exclude false/undefined signed cookies#162

Open
abhii734 wants to merge 1 commit intoexpressjs:masterfrom
abhii734:fix/signed-cookie-false
Open

fix: resolve #108 - exclude false/undefined signed cookies#162
abhii734 wants to merge 1 commit intoexpressjs:masterfrom
abhii734:fix/signed-cookie-false

Conversation

@abhii734
Copy link

@abhii734 abhii734 commented Mar 10, 2026

Bug (cookie-parser#108)

When cookie secret is changed, signed cookies that were signed with the old secret cannot be verified and signedCookie() returns false. The current code checks if (val !== dec) which is true even when dec is false, causing invalid signed cookies to be included in the result as false.

Fix

Add additional check to exclude cookies with false or undefined values from signed cookies result.

Verification

  1. Create signed cookie with secret 'abc'
  2. Change secret to 'xyz' on server
  3. Send request with old signed cookie
  4. Before fix: req.signedCookies.csrf === false
  5. After fix: req.signedCookies.csrf === undefined (not included)

fix: resolve expressjs#108 - exclude false/undefined signed cookies
32eed0e 
When cookie secret is changed, signed cookies signed with the old
secret return false. These should not be included in signedCookies
result as they are invalid, not just unsigned.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abhii734