Merge pull request #40 from ministryofjustice/ag--document-cookie-magic

Add a note in the README regarding the RStudio auth cookie
ministryofjustice · Aug 23, 2018 · dddee66 · dddee66
2 parents 8d4afb4 + 6c3c2fb
commit dddee66
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -7,3 +7,13 @@ RStudio auth proxy
 - `COOKIE_MAXAGE`, maximum age of session cookies in seconds.
  Defaults to `3600` seconds (1 hours).
  See [`Set-Cookie: MaxAge` documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)
+
+
+### RStudio authentication cookie
+The proxy sets the `user-id` cookie which is checked by RStudio to determine
+whether the user is authenticated or not.
+
+The value of this cookie is constructed in the [`auth.js` module](/app/auth.js).
+Read the code for the full implementation details and cookie format.
+
+This cookie is signed so that RStudio can verify that the cookie was not tampered with.