Skip to content

Improve cookie authentication tokens#805

Open
markstory wants to merge 1 commit into
4.xfrom
improve-cookie-token-jorge
Open

Improve cookie authentication tokens#805
markstory wants to merge 1 commit into
4.xfrom
improve-cookie-token-jorge

Conversation

@markstory

Copy link
Copy Markdown
Member

Replace the token generation in CookieAuthenticator with a new token format. The previous token format had weaknesses that could be used to create an authentication bypass if encrypted cookies were not used.

The legacyTokens option provides backwards compatibility for existing tokens, and gives application developers a path to disable legacy token support, which will become the default in a future minor release.

Thanks to Gilles Bedel for reporting this issue through the security mailing list.

@markstory markstory added this to the 4.x milestone Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants