nal
commented
1 year ago I'm looking into moving from gorilla sessions to SCS. One of the potential issues I'm running into is I'm not seeing a way I can set my own Token / Session ID?
Fork and rewrite this part of the code. But first read further.
Also, is the token that is generated guaranteed to be unique? I see it uses a crypto/rand seed, just not sure if that guarantee's no collisions on a large scale basis.
As mentioned here you need at least 128 bits of entropy when generating your sessionID/token. In this document there is a formula to calculate time to brute force your sessionID so you can use it with your numbers.
Current implementation uses 32 bytes = 256 bits of entropy. Corresponding code is again here.
alexedwards
zakyalvan
iOfek
I'm looking into moving from gorilla sessions to SCS. One of the potential issues I'm running into is I'm not seeing a way I can set my own Token / Session ID?
We are developing a login system utilizing OIDC ( with Ory Hydra ). As part of this setup, we are sent a Session ID for the OIDC Backchannel logout specification which lets us target a backend session based on the Session ID.
A potential workaround is storing a separate map in our storage that maps a SCS token to a SessionID we receive, but seems like unnecessary chatter I would like to avoid if possible and maybe some issues keeping them in sync.
I see we can also iterate through all sessions and try to target data within the session, but this doesn't seem like a great approach when we'll potentially have millions of active sessions.
Also, is the token that is generated guaranteed to be unique? I see it uses a crypto/rand seed, just not sure if that guarantee's no collisions on a large scale basis.
Thanks!