Getting a unique session id

[mschristiansen]

I need a unique session id and I could obviously generate one and store it in cookiePayload together with UserId and whatever else, but is cookieIV already usable for this?

Think I'll end with something like HashMap SessionId (TChan Message) and will also need a way to expire entries in the HashMap. Could possibly use the entire cookie as a key, which would give me that information.

[zohl]

Unfortunately, you cannot use IV as a session id, as it is changing on every request:

• cookies are added using addSession function
• addSession calls renderSession
• renderSession calls encryptSession
• encryptSession generates IV using getRandomBytes and uses it to encrypt the cookies

So, indeed, you have to store session id in the payload. And for the same reason you cannot use the whole cookie as a key (it starts with IV, which is changing during a session).

As for expiration checks, it's not that straightforward. I don't know details of your use case, so I'll clarify few details that might be useful for you :)

• First of all, user-related data is (supposed to be) stored on the client-side, and therefore server doesn't have to keep a table of clients in any form. Thus concept of 'session id' is quite orthogonal for the library, and implementation of it is unlikely to make good use of existing concepts (e.g. IV).

• Another problem is how to get noticed, when the cookies have got expired. There is a check in decryptCookie that throws exception CookieExpired you could make use of, but... it is thrown only when user sends request, which might be a second later of the actual expiration, a day later, a year later (or even never, if user cleared the cookies).

• Also, data from expired cookies will be rejected and never used.

Thus said, it really depends on your use case. For example, if you want to implement CSRF protection, you do not need a table at all: session tokens will be discarded as soon as cookies get expired. Or if you want to forbid a user to have more that N sessions simultaneously, you will have to keep table that will keep session ids and expiration times, and check before each addSession whether there are less that N non-expired sessions. (And eventually clear it from expired ones.)

[mschristiansen]

I'm using server-sent events (SSE) and sending messages using TChans, was looking at having a channel for each user to avoid sending full state to everyone when a new user connects. Having a channel for each user would allow me to send messages to individual users and messages will "wait" for a user. Not strictly required for my application, but would be more elegant.

Thanks for your clarifications.