Manually Set Token / Session ID? #163
Comments
Fork and rewrite this part of the code.
As mentioned here you need at least 128 bits of entropy when generating your sessionID/token. Current implementation uses 32 bytes = 256 bits of entropy. |
|
@dlpetrie Yes, as @nal says, session tokens use 256 bits of entropy, collisions aren't something to worry about. In theory, we could add a From a code point of view, I think this would be a simple addition. My main concern is opening up a potential security hole by allowing people to (accidentally or on purpose) use session tokens that are not generated using a CSRNG or contain sufficient entropy. Does anyone else have any views on this? Is the potential utility of a |
|
I have identical case, need to use sid from oidc provider as session token, so i can handle back-channel logout request from oidc server (identified by sid on logout token) by simply remove it from session. It seems adding |
|
Hi @alexedwards , |
I'm looking into moving from gorilla sessions to SCS. One of the potential issues I'm running into is I'm not seeing a way I can set my own Token / Session ID?
We are developing a login system utilizing OIDC ( with Ory Hydra ). As part of this setup, we are sent a Session ID for the OIDC Backchannel logout specification which lets us target a backend session based on the Session ID.
A potential workaround is storing a separate map in our storage that maps a SCS token to a SessionID we receive, but seems like unnecessary chatter I would like to avoid if possible and maybe some issues keeping them in sync.
I see we can also iterate through all sessions and try to target data within the session, but this doesn't seem like a great approach when we'll potentially have millions of active sessions.
Also, is the token that is generated guaranteed to be unique? I see it uses a crypto/rand seed, just not sure if that guarantee's no collisions on a large scale basis.
Thanks!
The text was updated successfully, but these errors were encountered: