A. L
Reputation: 12669
node express sessions - does secret need to be unique somehow?
So I'm using express-session https://github.com/expressjs/session and I was wondering if the secret needed to be unique for every user. I can't seem to find anything that says it does as the usage just lists:
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}))
I'm currently just creating the secret using bcrypt but I'm not sure if this will impact sessions when I update my server file.
var salt1 = bcrypt.genSaltSync();
var salt2 = bcrypt.genSaltSync();
var secret = bcrypt.hashSync(salt1 + salt2, 10);
app.use(session({
secret, // set this to a long random string!,
}));
Should the session be generated inside a function in itself, i.e. function generateSession()
Upvotes: 6
Views: 2421
Answers (1)
AkinsTech
Reputation: 164
The secret is the same for all users. The "secret" you supply simply acts as the salt for the session's hash function. The method you're using is as good as any as it will generate a new salt each time the application is restarted.
Upvotes: 5
Related Questions
- express-session should secret be static or dynamic?
- Importance of session secret key in Express web framework
- How do sessions work in Express.js with Node.js?
- Does session secret in nodejs does same thing as signed cookie?
- How and when do I generate a Node/Express cookie secret?
- What is a secure session secret?
- Session in nodejs
- Node.js cookies and session management
- Are Express Sessions inherently unique to the visitor
- express.js understanding sessions security