Currently, Lusca's CSRF module generates 10 bytes of random data. With Base64 conversion, session secrets include two equal sign characters. Is there a specific reason 10 bytes has been chosen? It would be possible to save two characters on every user session if the length was changed.
Further, it appears pseudoRandomBytes is now deprecated and it might be time to move to randomBytes (not sure if it's deprecated or just removed from the documentation now). Since session secrets by design must be cryptographically secure, I'm not sure why pseudoRandomBytes has been chosen.
PROPOSAL: Change line 18 of token.js (above) to use 12 bytes and use RandomBytes(cb);
Currently, Lusca's CSRF module generates 10 bytes of random data. With Base64 conversion, session secrets include two equal sign characters. Is there a specific reason 10 bytes has been chosen? It would be possible to save two characters on every user session if the length was changed.
source
Further, it appears
pseudoRandomBytesis now deprecated and it might be time to move torandomBytes(not sure if it's deprecated or just removed from the documentation now). Since session secrets by design must be cryptographically secure, I'm not sure whypseudoRandomByteshas been chosen.PROPOSAL: Change line 18 of
token.js(above) to use 12 bytes and useRandomBytes(cb);