Invalidating a session using session id hebrew israelite dating
The way the Express session middleware does this is by calculating a hash over the combination of the session id and a secret.
Since calculating the hash requires possession of the secret, an attacker will not be able to generate valid session ids without guessing the secret (or just trying to guess the hash).
The session cookie acts as a bearer token — whoever shows up with the token is considered to be the authenticated user.
Setting a session cookie removes the need to enter your username and password on every page.
This means an invalid session id could come from an expired session or from an attacker, but without additional data (e.g.
IP address) it would be hard to tell the difference in a large scale system.
However, this session cookie now acts as the sole authentication key and anyone who gains access to this key will gain access to the system.
Cookies are, after all, just a simple string of characters.
Security is a complex and very specific area and if you are concerned about the security of your system you should hire an expert that can review your system along with a threat analysis and provide the appropriate advice.
An important difference between guessing passwords and guessing session ids is the fact that passwords are associated with an account (e.g. The account-password pair makes it easier to keep track of brute force attacks because it provides a relatively straightforward way to keep track of failed attempts.
However, when it comes to session ids, it is not as simple because sessions expire and do not include an account context.
It is also critical that session ids are not generated using a predictable algorithm such as a counter because if such logic exists, the attacker is no longer guessing but generating session ids. The size has to translate into an impractical effort to guess a valid session id.
Using a cryptographically secure random number generator to produce sufficiently long session ids is the best common practice. Another way to prevent an attacker from guessing session ids is to build integrity into the token by adding a hash or signature to the session cookie.
We all write bad code no matter how great our process is or how experienced we are. This is why it is so important to layer your security.