Express cookie-session weak secret key
Description
The Express web application uses the cookie-session middleware with a weak or default secret key for signing session cookies. This secret key is critical for protecting cookie integrity and preventing tampering. The application is currently using a predictable or commonly-known secret value that was successfully identified during scanning, leaving session cookies vulnerable to forgery and manipulation.
Remediation
Replace the weak secret key with a cryptographically strong random value of at least 32 characters. Generate the secret using a secure random generator and store it in environment variables or a secure configuration management system, never in source code.
Example of secure implementation:
const session = require('cookie-session');
const crypto = require('crypto');
// Generate a strong secret (do this once and store securely)
// const secret = crypto.randomBytes(32).toString('hex');
app.use(session({
name: 'session',
keys: [process.env.COOKIE_SECRET], // Load from environment variable
maxAge: 24 * 60 * 60 * 1000 // 24 hours
}));Ensure the secret is rotated periodically and never committed to version control. Consider using multiple keys in the keys array to support key rotation without invalidating existing sessions.