rmunn
commented
3 years ago I think as long as you're only using 1 iteration of PBKDF2, the performance will be fast enough that it doesn't need to be async. However, if you decide to make that configurable (and I think you will want to make the iterations configurable in the future, as some people may want to do more than 1 iteration depending on their site's security needs), then you'll want to be able to make it async. Because if someone chooses to do enough iterations of PBKDF2 that it takes 500ms to initialize a single session, then they'll definitely want that to be async so that one user logging in doesn't paralyze the server for half a second.
Not sure what's best practice here, or if making it async is worth it. Performance benchmarks shows around
700msfor initializing and decoding25000sessions (20000) for encoding.