Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Generating a random secret
See original GitHub issueI am working on an open source express app where I don’t want to provide a default session secret. So I wanted to know if there would be any problems doing this:
app.use(session({
secret: require('crypto').randomBytes(64).toString('hex')
}))
The only problem I can think of is that if the app gets restarted the secret is lost so the cookies won’t have a valid signature but I think I would prefer this than to have a default public secret. Are there anything other problems to this?
Issue Analytics
- State:
- Created 9 years ago
- Reactions:7
- Comments:5 (3 by maintainers)
Top Results From Across the Web
RandomKeygen - The Secure Password & Keygen Generator
RandomKeygen is a free mobile-friendly tool that offers randomly generated keys and passwords you can use to secure any application, service or device....
Read more >secrets — Generate secure random numbers for managing ...
The secrets module is used for generating cryptographically strong random numbers suitable for managing data such as passwords, account authentication, ...
Read more >Python Secrets Module to Generate secure random numbers ...
Python 3.6 introduced a secrets module for generating robust and secure random numbers. In this lesson, you'll learn how to use secrets.
Read more >Strong Password Generator | Create Random Passwords
Use Delinea's secure password generator to quickly generate strong passwords online. Customize your preferences. Try it here.
Read more >random | Meteor API Docs
The random package provides several functions for generating random numbers. ... Use Random.secret for security-critical secrets that are intended for ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Correct, if you want, you can use a random secret and the sessions would only last the lifetime of the server. The other problem if you cannot horizontally scale your application, since if you load balance between two different instances, they will have different secrets. Just keep the limitations in mind is all (and you probably should provide a way for someone to configure the secret, but just default to the random one).
Thanks guys