Expressjs - Ideal Session Secret Size

Question

What is the ideal size for the session secret for express.session?

Answer 1

the HILARUDEEN S ALLAUDEEN answer is wrong

it doesn't matter how big the secret was - it have no effect on cookie size

you can check it here https://npm.runkit.com/cookie-signature

var cookie = require("cookie-signature")

cookie.sign('hello', 'tobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscooltobiiscool')

the resulting length is the same

---

the answer is 256 for sha256

the express-session is using https://www.npmjs.com/package/cookie-signature

the sign function is here

https://github.com/tj/node-cookie-signature/blob/025a9f3eaa65f589c766b00bf64763581fa49776/index.js#L16-L24

some recommend 32 bytes, others recommend 64

let's play it safe and use 256

Answer 2

Standard Size Of Cookie:

In general, Cookie is token which is sending by HTTP Client(May be browser) as a part of request. Since HTTP stateless protocal cookie is only way to tell server who is the actual client. Let take browser, Browser is having certain limitation on storing cookie, if you want go through What is the maximum size of a cookie, and how many can be stored in a browser for each web site?

Since cookie is part of each request, storing bigger token/value/string in cookie will take large bandwidth. So it is definitely not recommended storing large data.

Sencha's Connect:

Express framework is internally depends on connect framework to manage session, cookie and . You can identify from this https://github.com/visionmedia/express/blob/master/package.json. You can go through dependencies key in JSON.

Connect's Role on Session/Cookie Management:

In cookie generation, Secret "String" play key role on avoid cookie tampering. Internally, the program will generate encoded string and append it as a part of cookie. In clearly say, you see the cookie with name "connect.sid"(This is default one, however you can override the name) in browser. And you can read in browser itself by using any of developer add-ons.

The value store against "connect.sid" is contain two parts. First one is "Session ID" and second one is "Signature". It is look like as follows,

<session id encoded> . <signature>

The code part generating this cookie format is as follows,

function session(options){
  ...
  ...

  return function session(req, res, next) {
    ...
    ...

    // set-cookie
    res.on('header', function(){
      ...
      ...

      /*******************************************************/
      /*********** Cookie Generating Code ********************/

      var val = 's:' + signature.sign(req.sessionID, secret);
      val = cookie.serialize(key, val);
      debug('set-cookie %s', val);
      res.setHeader('Set-Cookie', val);
      /*********** Cookie Generating Code *******************/

    });
    ...
    ...

Signature Generation:

Connect call sign() function which is implemented in "cookie-signature" module. You can easily get how sign() function work, from example in this page https://npmjs.org/package/cookie-signature and You can get deep insight from this https://github.com/visionmedia/node-cookie-signature/blob/master/index.js

Conclusion:

Finally "Secret" string express is going to part of cookie as a signature. So you can use any length of "secret" string, unless it(sessionid and signature) is exceeded standard browser supporting size.