pixelmund
commented
2 years ago Hey!
I'm by no means a security expert, but the algorithm used aes-gcm 128 should be cryptographically secure and sufficient for your needs!
Closed elliott-with-the-longest-name-on-github closed 2 years ago
pixelmund
commented
2 years ago Hey!
I'm by no means a security expert, but the algorithm used aes-gcm 128 should be cryptographically secure and sufficient for your needs!
elliott-with-the-longest-name-on-github
commented
2 years ago @pixelmund
Yep, that algorithm should be fine.
One last question. Is the hook expecting to infinitely increment the secret ID, or is there a point at which it would be OK to reuse an ID that had been rotated out of use long ago?
pixelmund
commented
2 years ago Sorry for the late response, was quite busy. I think you should be infinitely incrementing the secret ID, just to be sure.
Edit: sorry for the initial confusing title -- GitHub mobile is kind of weird.
Hey there! I hate asking questions via GitHub issues, but I wasn't sure how else to get in touch. 🙂 I wanted to double check: Is the method of encrypting the cookie considered cryptographically secure? I use OAuth, which requires me to manage access tokens, which I would normally stick into my session on the server side. Using this library, that means they'd be sent to the client (which is traditionally unsafe, but should be fine so long as they're part of an "unbreakable enough" encryption that I can rotate regularly). It looks like they are, but I just need to make sure!