00:00 Let's get into session storage. This is where we're going to start getting into a little bit of actual Auth stuff. But this is another one of those underlying technologies that Auth really relies on is session storage in the cookie. So, cookies can be configured in a variety of ways and three of them that are very important for Auth

00:18 are that the cookie is only accessible via HTTP. That means that only the browser has access to it and it does not share that with any client-side JavaScript and then it sends that cookie over to the server. So, the server actually, as far as our code is concerned, server is the only thing that has access to these cookies, which is desired.

00:38 And then also signed. So, that means that a user couldn't generate their own cookie and try to pretend to be somebody else. And so, we use a special secret key that only we know to cryptographically sign the cookie value

00:55 so that when we read it on the server side, we verify that yes, I did make this cookie or no, somebody else made this cookie and I will not accept it. And then finally, secure. So, it should only work on HTTPS and that just is a given now.

01:12 We should only be operating on HTTPS and if somebody is connecting to your site on HTTP, then we shouldn't be giving them a cookie because there could be all sorts of vulnerabilities that they are subject to. So, we will not send any cookies unless it's secure.

01:29 Okay, so in Remix, there are some utilities for working with cookies and I copied some of this from the docs. And so, here you have this create cookie and that gives you the cookie value that you can then serialize and stuff. And there are options that you can provide for these different things, but we're not going to be using this API.

01:47 Instead, we're going to be using the cookie session storage because this allows us to create a session object which we can then set and get and flash different values to and we'll learn all about that in this exercise.

02:01 So, you create the cookie session storage and then you can configure your cookie in a very similar way to what you can do up here. So, here you give it a name, so that is like what that cookie name will appear as in your cookies listed here.

02:18 And in fact, like all of this config ends up showing up in here. So, the name, the value, domain, the path, when it expires, what is this? That's the size, I think. HTTP only, secure, same site. I think this one's priority.

02:35 This one is, come on, we need some accessibility experts in here. What does that say? It is partition something. Clearly, I don't use this particular property, but partition key.

02:49 Okay, so all this stuff we can configure and not all of it do we necessarily need to. So, the domain, that's going to just default to whatever domain you're on. The path is also related.

03:01 It's just what part of this particular application does, as far as the route is concerned, what part of that does this cookie apply to? So, if you say slash admin and you set a cookie there, that will not apply to slash users or whatever. Then you can specify when you want it to expire.

03:20 We're going to talk about expiration a little bit later in the workshop. But, yeah, so you have max age and expires that allow you to determine when this cookie expires, which is really nice so that you can proactively or time how long a cookie is going to live in their cookie jar for.

03:39 And then here's HTTP only and secrets is used for that serialization and signing, and so we're going to talk about that. And then secure, we'll talk about that as well, and our same site. So, lots of stuff to do with session storage, and we're going to be using session storage a lot in this workshop.

03:57 So, buckle up. It's going to be fun.