-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manually Set Token / Session ID? #163
Comments
Fork and rewrite this part of the code.
As mentioned here you need at least 128 bits of entropy when generating your sessionID/token. Current implementation uses 32 bytes = 256 bits of entropy. |
@dlpetrie Yes, as @nal says, session tokens use 256 bits of entropy, collisions aren't something to worry about. In theory, we could add a From a code point of view, I think this would be a simple addition. My main concern is opening up a potential security hole by allowing people to (accidentally or on purpose) use session tokens that are not generated using a CSRNG or contain sufficient entropy. Does anyone else have any views on this? Is the potential utility of a |
I have identical case, need to use sid from oidc provider as session token, so i can handle back-channel logout request from oidc server (identified by sid on logout token) by simply remove it from session. It seems adding |
Hi @alexedwards , |
I'm looking into moving from gorilla sessions to SCS. One of the potential issues I'm running into is I'm not seeing a way I can set my own Token / Session ID?
We are developing a login system utilizing OIDC ( with Ory Hydra ). As part of this setup, we are sent a Session ID for the OIDC Backchannel logout specification which lets us target a backend session based on the Session ID.
A potential workaround is storing a separate map in our storage that maps a SCS token to a SessionID we receive, but seems like unnecessary chatter I would like to avoid if possible and maybe some issues keeping them in sync.
I see we can also iterate through all sessions and try to target data within the session, but this doesn't seem like a great approach when we'll potentially have millions of active sessions.
Also, is the token that is generated guaranteed to be unique? I see it uses a crypto/rand seed, just not sure if that guarantee's no collisions on a large scale basis.
Thanks!
The text was updated successfully, but these errors were encountered: