In the Lucia adder, both the session and user IDs are case sensitive since they're base64-encoded (a-z, A-Z, 0-9). However, by default, string comparisons are case insensitive in MySQL so the character set is reduced 38 characters. This reduces the entropy of the user ID from 120 bits to \~106 bits, ~and more importantly, the session ID from 144 bits to \~127 bits. This is fortunately still higher than the 112 bits recommend by the NIST but should be fixed.~ Fix: This doesn't affect session tokens since we hash them and hex encode it before storage.
So we have a few options here:
Use the BINARY column type for IDs: This can make debugging harder since values won't be human-friendly when viewing data.
In the Lucia adder, both the session and user IDs are case sensitive since they're base64-encoded (a-z, A-Z, 0-9). However, by default, string comparisons are case insensitive in MySQL so the character set is reduced 38 characters. This reduces the entropy of the user ID from 120 bits to \~106 bits, ~and more importantly, the session ID from 144 bits to \~127 bits. This is fortunately still higher than the 112 bits recommend by the NIST but should be fixed.~ Fix: This doesn't affect session tokens since we hash them and hex encode it before storage.
So we have a few options here:
utf8mb4_bin: Not supported by Drizzle https://github.com/drizzle-team/drizzle-orm/issues/638.I think (4) is the easiest and we should probably add a warning on using case sensitive IDs.
Also kinda relevant #163