You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Lusca's CSRF module generates 10 bytes of random data. With Base64 conversion, session secrets include two equal sign characters. Is there a specific reason 10 bytes has been chosen? It would be possible to save two characters on every user session if the length was changed.
Further, it appears pseudoRandomBytes is now deprecated and it might be time to move to randomBytes (not sure if it's deprecated or just removed from the documentation now). Since session secrets by design must be cryptographically secure, I'm not sure why pseudoRandomBytes has been chosen.
PROPOSAL: Change line 18 of token.js (above) to use 12 bytes and use RandomBytes(cb);
The text was updated successfully, but these errors were encountered:
Currently, Lusca's CSRF module generates 10 bytes of random data. With Base64 conversion, session secrets include two equal sign characters. Is there a specific reason 10 bytes has been chosen? It would be possible to save two characters on every user session if the length was changed.
source
Further, it appears
pseudoRandomBytesis now deprecated and it might be time to move torandomBytes(not sure if it's deprecated or just removed from the documentation now). Since session secrets by design must be cryptographically secure, I'm not sure whypseudoRandomByteshas been chosen.PROPOSAL: Change line 18 of
token.js(above) to use 12 bytes and useRandomBytes(cb);The text was updated successfully, but these errors were encountered: