Default cookie name doesn't satisfy RFC6265

[guersam]

The default cookie name express:sess contains :, which is not a valid token character in accordance with RFC6265 and RFC2616. Although most web browsers and servers allow this, it causes problems in some more strict environment such as spray.

Would you consider remaining it? If so, should we take backward compatibility into account?

p.s. I posted the same issue as koajs/session#28.

[Fishrock123]

This breaks anyone who is naively using any hard-coded references to the default cookie name.

For now, just use the name option.

[dougwilson]

This breaks anyone who is naively using any hard-coded references to the default cookie name.

Exactly. We should probably change it, but cannot for some time.

[dougwilson]

Perhaps we should just not even have this be a default? I think that would be the better option to make people choose their own cookie names, since that is basically an integral part of cookies.

[Fishrock123]

Perhaps we should just not even have this be a default?

Yeah, that might be a good idea.
We should probably also error on RFC-invalid cookie names.

[dougwilson]

We should probably also error on RFC-invalid cookie names.

Yea. I looked at the RFC and it says the cookie name should be a token (which cannot have things like :).

[anextro]

Has this problem been solved.?

[dougwilson]

@anextro no, not until the next major release. You can always just use a different cookie name from the default for your app in the meantime.