It says here that it is used to SIGN the session ID in the cookie. And here are my questions:
- By SIGNING, does it mean that it is just to tell the browser who the true sender of the cookie is?
- If it means encrypt session ID in the cookie instead, is this secret key used to prevent session hijacking? If yes, how? Or what security benefit does it provide?
I think hacker can just steal the encrypted cookie data when we send it to the server, and pretends to be us. My opinion here is based on this post. So I’m not sure if it is valid for expressjs as well.