17

I would like to work with sessions on low level. How is it possible to generate session id in node.js?

avasin
  • 9,186
  • 18
  • 80
  • 127

1 Answers1

33

It is not clear what you are trying to achieve, but... a session ID is just an ID! You generate it however you want. There are no requirements except for uniqueness. It is a good idea though to make it secure. For example this function may be your session id generator:

var crypto = require('crypto');

var generate_key = function() {
    // 16 bytes is likely to be more than enough,
    // but you may tweak it to your needs
    return crypto.randomBytes(16).toString('base64');
};

You call generate_key() and you check whether it exists in a database. If it does you call it again and so on and so on.

EDIT: Let me address comments:

  1. Originally I had Math.random() here and there were some concerns that this is not cryptographically secure. While it is true, I don't see OP asking for cryptographically secure solution. For all we know he may not need it, after all we don't know what kind of sessions he is dealing with. Ultimately I've decided to change it, cause crypto solution is safer and (most of the time) it doesn't have any drawback.
  2. Uuid is an acceptable alternative. I personally prefer uuid4 since it doesn't leak information but it doesn't really matter.
  3. The amount of computation needed to generate any sort of id is unlikely to matter and it will be dominated by a database communication most of the time (if there is any). Unless you are dealing with pbkdf2 kind of algorithms. I wouldn't use that. But if you are then you probably have your reasons.
freakish
  • 54,167
  • 9
  • 132
  • 169
  • Do you think to use crypto function for session id generation is good choice ? crypto takes good amt of time in computation. I would rather suggest to use uuid functions by feeding some seed data(mac address) in order to resolve conflict in distributed environment. http://blog.tompawlak.org/generate-unique-identifier-nodejs-javascript – Ashish Aug 02 '14 at 21:08
  • 9
    Unfortunately there are other requirements apart from uniqueness such as unpredictability and having a sufficient amount of randomness. [You should use the Node.js crypto module. `Math.Random` is seeded from the current time](http://blog.tompawlak.org/how-to-generate-random-values-nodejs-javascript) therefore it is predictable and an attacker could use it to predict a user's session ID. – SilverlightFox Mar 30 '15 at 17:24
  • ` const crypto = require('crypto'); function generateSessionID(callback) { crypto.randomBytes(256, function(err, buf) { if (err) { callback(err); return; } var sha = crypto.createHash('sha256'); sha.update(buf); callback(null, sha.digest('hex')); }); } module.exports = generateSessionID; ` Sorry can't seem to get this formatting nice in a comment. Insert into your data store and check if it already exists. If there is an error generating it then log and throw that error. Not sure if its good practice or anything like that :S – Liam Mitchell Jun 11 '17 at 03:02
  • 1
    This session ID is not secure so I've added a note on top so that people don't simply copy and paste this example. – laurent Sep 22 '19 at 15:58
  • 2
    UUID is also not an acceptable session id, unless the underlying library is using a sufficiently random source. this is not always the case. – Evert Sep 22 '19 at 18:12
  • 1
    I agree that the random library (i never heard of it either) was also not a great idea. But, there's also a lot of opinion, incorrect advice and emotion in your answer. This is _also_ harmful. – Evert Sep 22 '19 at 18:18
  • this should probably run through URIencode to avoid issues with padding characters and slashes, I would also use a full 18 bytes so it base64s nicely – Arkadiy Kukarkin Oct 22 '20 at 19:49