The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.

cookie 仍然可见，但它有一个签名，因此它可以检测客户端是否修改了 cookie。

It works by creating a HMAC of the value (current cookie), and base64 encoded it. When the cookie gets read, it recalculates the signature and makes sure that it matches the signature attached to it.

它的工作原理是创建值的 HMAC（当前 cookie），并对其进行 base64 编码。当 cookie 被读取时，它会重新计算签名并确保它与附加到它的签名相匹配。

If it does not match, then it will give an error.

如果不匹配，则会报错。

If you want to hide the contents of the cookie as well, you should encrypt it instead (or just stores it in the server side session). I'm not sure if there is middleware for that already out there or not.

如果你也想隐藏 cookie 的内容，你应该加密它（或者只是将它存储在服务器端会话中）。我不确定是否已经有中间件。

Edit

编辑

And to create a signed cookie you would use

并创建一个签名的cookie，你会使用

res.cookie('name', 'value', {signed: true})

And to access a signed cookie use the signedCookiesobject of req:

要访问签名的 cookie，请使用以下signedCookies对象req：

req.signedCookies['name']

Yup like emostar mentions it's simply to ensure that a value has not been tampered with. It's placed in a different object (req.signedCookies) to differentiate between the two, allowing the developer to show intent. If they were stored in req.cookies along with the others someone could simply craft an unsigned cookie of the same name, defeating the whole purpose of them.

是的，就像 emostar 提到的那样，它只是为了确保值没有被篡改。它被放置在不同的对象 (req.signedCookies) 中以区分两者，从而允许开发人员展示意图。如果它们与其他人一起存储在 req.cookies 中，那么有人可以简单地制作一个同名的未签名 cookie，从而破坏了它们的全部目的。

I have been searching pretty extensive for a good answer to this... And looking at the source code of cookie-signature, that is used by cookie-parserto sign the signed cookies have given me a better understanding of what a signed cookie is.

我一直在寻找一个很好的答案......并且查看 的源代码cookie-signature，用于cookie-parser签署签名的 cookie 让我更好地理解了签名的 cookie 是什么。

valis of course the value of the cookie, and secretis the string you add as option to cookie-parser

val当然是 cookie 的值，并且secret是您作为选项添加的字符串 cookie-parser

https://github.com/visionmedia/node-cookie-signature/blob/master/index.js#L16

https://github.com/visionmedia/node-cookie-signature/blob/master/index.js#L16

I used cookie-parser 1.4.4 version.

我使用了 cookie-parser 1.4.4 版本。

I could add signed cookies and signed cookie encrypted in browser, If i try to edit signed cookie using editThisCookie (chrome plugin) then cookie-parser detect external change and then set false as value.

我可以添加签名 cookie 和在浏览器中加密的签名 cookie，如果我尝试使用 editThisCookie（chrome 插件）编辑签名 cookie，则 cookie 解析器检测外部更改，然后将 false 设置为值。

response.cookie('userId',401,{signed: true})

Response header in browser,appear as

浏览器中的响应头，显示为

Set-Cookie: empId=s%3A101.US2oSV4TSvfkvvEQ5fj1sXsjj8rNxx2ph4VdHNTuKX8; Path=/

Get signed cookie

获取签名 cookie

request.signedCookies

https://gist.github.com/dineshbalaji/607d166f0240f932a5cb02099b0ece4c

https://gist.github.com/dineshbalaji/607d166f0240f932a5cb02099b0ece4c