Switch browser cookie signature from SHA1 to SHA384.

2025-03-09 15:40:18 +00:00 · 2022-07-11 11:11:03 -07:00 · 2022-07-11 11:11:03 -07:00 · 626c490771
commit 626c490771
parent a151dcbfe6
2 changed files with 16 additions and 6 deletions
--- a/webrelayserver.js
+++ b/webrelayserver.js
@ -61,11 +61,16 @@ module.exports.CreateWebRelayServer = function (parent, db, args, certificates,
            }
        }

+        // Setup a keygrip instance with higher default security, default hash is SHA1, we want to bump that up with SHA384
+        // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
+        // If args.sessionkey is a string, use it as a single key, but args.sessionkey can also be used as an array of keys.
+        const keygrip = require('keygrip')((typeof obj.args.sessionkey == 'string') ? [obj.args.sessionkey] : obj.args.sessionkey, 'sha384', 'base64');
+
        // Setup cookie session
-        var sessionOptions = {
+        const sessionOptions = {
            name: 'xid', // Recommended security practice to not use the default cookie name
            httpOnly: true,
-            keys: [args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
+            keys: keygrip,
            secure: (args.tlsoffload == null), // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
            sameSite: (args.sessionsamesite ? args.sessionsamesite : 'lax')
        }