From 3c9a86306a1ea5d633ecf84690d1951a2b63ab17 Mon Sep 17 00:00:00 2001
From: Mark Moffat <mark@192-168-1-105.tpgi.com.au>
Date: Sat, 26 Oct 2019 11:17:29 +1030
Subject: [PATCH] Added note to update session secret

---
 README.md | 16 ++++++++++++++++
 app.js    |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 89f044f..30648b3 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,22 @@ Settings can be managed from the admin panel ([http://127.0.0.1:1111/admin](http
 
 All settings are stored in json files in the `/config` directory. The main application-level settings are stored in `/config/settings.json` while payment gateway settings are stored in files in the `/config` directory named after the payment gateway. For example, configuration for the Stripe payment gateway is stored in `/config/stripe.json`.
 
+> When using in production be sure to update the session secret in `app.js` to a safe random string. Eg:
+
+```
+app.use(session({
+    resave: true,
+    saveUninitialized: true,
+    secret: 'UPDATE_TO_RANDOM_STRING',
+    cookie: {
+        path: '/',
+        httpOnly: true,
+        maxAge: 900000
+    },
+    store: store
+}));
+```
+
 ##### Local configuration
 
 If you'd rather store settings in a file which isn't checked into version control, you can create a new settings file at `/config/settings-local.json` and store your complete settings there. When viewing or editing settings in the admin panel, expressCart will detect the existence of this file and update it accordingly.
diff --git a/app.js b/app.js
index 599a3d1..bf09129 100644
--- a/app.js
+++ b/app.js
@@ -243,7 +243,7 @@ app.use(cookieParser('5TOCyfH3HuszKGzFZntk'));
 app.use(session({
     resave: true,
     saveUninitialized: true,
-    secret: 'pAgGxo8Hzg7PFlv1HpO8Eg0Y6xtP7zYx',
+    secret: 'UPDATE_TO_RANDOM_STRING',
     cookie: {
         path: '/',
         httpOnly: true,