What are “signed” cookies in connect/expressjs?

Question

I am trying to figure out what \"signed cookies\" actually are. There isn\'t much on the net, and if I try this:

app.use(express.cookieParser(\'A secret\'));         


        

Answer 1

Yup like emostar mentions it's simply to ensure that a value has not been tampered with. It's placed in a different object (req.signedCookies) to differentiate between the two, allowing the developer to show intent. If they were stored in req.cookies along with the others someone could simply craft an unsigned cookie of the same name, defeating the whole purpose of them.