Reputation: 19203
Is it safe to use UUID v4 to generate session IDs?
Is it safe to use UUID v4 to generate session IDs?
Does generating two UUID v4 and concatenating them to have a longer string make this more secure to be used as a session ID for a web app?
Upvotes: 2
Views: 2861
Answers (1)
Reputation: 99523
Generally, no. While the string itself is long enough, the UUID specification does not require implementations to generate strings that are cryptographically random.
Specific implementations may make it more random, so the library you use might be good enough, but it's not required to be a valid UUID. So having a valid UUID is no proof/guarantee that it was generated from a random enough source.
Even if your specific UUID library does create cryptograhically unguessable strings, it may still not be desirable to use it, because it could signal to a future developer: "UUIDs are safe to use for secrets", so it could create risk later on even if originally the UUIDs were secure.
My recommendation would be to simply use crypto.randomBytes
Upvotes: 1
Related Questions
- Nodejs UUIDv4 producing constant id value when used in Mongoose
- How to convert strings to UUID v4 in NodeJs?
- Generate v4 UUID from Specific Javascript
- Best practices for SessionId/Authentication Token generation
- Generating unique sessionId with Express Cookie-Session
- Should I be using node-uuid or uuid?
- is it reasonable to get sessionid from url other than cookie? something about express-session
- How do I generate a session ID in Node.js?
- is a hashed uuid4 a good csrf token?
- Is there any danger to creating UUID in Javascript client-side?