Some nutritionists say eating too many sweets, such as cookies, is bad for your health. Web cookies, however, are widely used for many purposes including recording whether a browser is logged in or not.
In the Notes application, we're already using some good practices:
- We're using an Express session cookie name different from the default shown in the documentation
- The Express session cookie secret is not the default shown in the documentation
Taken together, an attacker can't exploit any known vulnerability stemming from using default values. All kinds of software products show default passwords or other defaults. Those defaults could be security vulnerabilities, and therefore it's best to not use the defaults. For example, the default Raspberry Pi login/password is pi and raspberry. While that's cute, any...