Using good cookie practices
Some nutritionists say eating too many sweets, such as cookies, is bad for your health. Web cookies, however, are widely used for many purposes including recording whether a browser is logged in or not.
In the Notes application, we're already using some good practices:
- We're using an Express session cookie name different from the default shown in the documentation
- The Express session cookie secret is not the default shown in the documentation
Taken together, an attacker can't exploit any known vulnerability stemming from using default values. All kinds of software products show default passwords or other defaults. Those defaults could be security vulnerabilities, and therefore it's best to not use the defaults. For example, the default Raspberry Pi login/password is pi and raspberry. While that's cute, any Raspbian-based IoT device that's left with the default login/password is susceptible.
But there's a bit more we can do to make the single cookie we're using, the...