From 32eed0eefd52cb7e9a3a3104d25b287b6e329036 Mon Sep 17 00:00:00 2001
From: Abhimanyu <abhii734@gmail.com>
Date: Tue, 10 Mar 2026 12:02:29 +0530
Subject: [PATCH] fix: resolve #108 - exclude false/undefined signed cookies

When cookie secret is changed, signed cookies signed with the old
secret return false. These should not be included in signedCookies
result as they are invalid, not just unsigned.
---
 index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index dd6d479..45dc45b 100644
--- a/index.js
+++ b/index.js
@@ -172,7 +172,8 @@ function signedCookies (obj, secret) {
     val = obj[key]
     dec = signedCookie(val, secret)
 
-    if (val !== dec) {
+    // only include valid signed cookies (not false/undefined from invalid signature)
+    if (val !== dec && dec !== false && dec !== undefined) {
       ret[key] = dec
       delete obj[key]
     }