Reputation: 12669
express-session should secret be static or dynamic?
I can't find any information from the documentation whether the secret should be a static string or if it should/can be dynamic. Here's how I'm setting the secret right now.
var salt1 = bcrypt.genSaltSync();
var salt2 = bcrypt.genSaltSync();
var secret = bcrypt.hashSync(salt1 + salt2, 10);
app.use(session({
// activeDuration: toTime("days", 7),
// duration: toTime("days", 7),
maxAge: toTime("days", 7),
saveUninitialized: false,
secret, // set this to a long random string!,
}));
So should the secret be a one time thing or can it be dynamic?
Upvotes: 4
Views: 1479
Answers (2)
Reputation: 138477
dynamic
- Easier to keep secret (an attacker would have to read it from the memory of the running process)
- Invalidates all sessions when the server restarts as a new secret is generated ( might be useful if you use local caches that need to be refilled anyways)
static
- Sessions stay active across server restarts
- Multiple servers can share the same sessions
Upvotes: 4
Reputation: 318658
Usually these secrets are used to sign and/or encrypt session data stored in client-side cookies (in case of express it's used to sign the session data to prevent tampering).
So the secret must be:
- secret (duh!)
- static (changing it will invalidate any session using the old secret unless you keep the old ones around as well)
- configurable, just like DB credentials etc. (you don't want to commit secrets to your codebase)
- random (anything that gives you a long random/unpredictable string is fine)
FYI, using bcrypt to generate it makes no sense. bcrypt's goal is to be slow to prevent brute-forcing hashes. This is not relevant here. Proper randomness is enough.
Relevant section from the docs:
This is the secret used to sign the session ID cookie. This can be either a string for a single secret, or an array of multiple secrets.
If an array of secrets is provided, only the first element will be used to sign the session ID cookie, while all the elements will be considered when verifying the signature in requests.
Since express-session supports keeping old secrets around, you could rotate the active secret. For example, once a month you could prepend a new random secret to the array and thus allow existing sessions with the old secret to keep working while not using it for any new sessions. Then, once your max age has been reached, you can safely remove a secret not used for that many days. Like this an accidental leak of a session secret would become harmless after some time (unless someone abused it in the meantime of course)
Upvotes: 10
Related Questions
- Expressjs - Ideal Session Secret Size
- Express Js: req.session vs cookie vs local storage vs session storage
- Does session secret in nodejs does same thing as signed cookie?
- What is the best option to store session data in express js
- node express sessions - does secret need to be unique somehow?
- ExpressJS security best practice (handle session and cookie)
- What is a secure session secret?
- In Express.js, is it safe to store any data in sessions?
- Is secret set in cookie parser and session store the same thing in express.js?
- What should I use for express.cookieParser() secret?