Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

actix-session: generate_session_key seems to generate overly long ids #497

Open
wt opened this issue Jan 21, 2025 · 0 comments
Open

actix-session: generate_session_key seems to generate overly long ids #497

wt opened this issue Jan 21, 2025 · 0 comments

Comments

@wt
Copy link
Contributor

wt commented Jan 21, 2025
edited
Loading

The OWASP guidelines (the same linked from the comment on generate_session_key) suggest that session ids should be 64 bits long, not 64 characters as implemented in generate_session_key. If you represent a 64 bit long integer as a hexidecimal number, it is only 16 characters long instead of 64.

Is there any chance that you might consider the following replacement for generate_session_key?

fn generate_session_key() -> SessionKey {
    let key: u64 = rand::thread_rng().gen();
    let key_str = format!("{:x}", key);
    key_str.try_into().unwrap()
}

This would allow session keys to be far shorter while still complying with the OWASP guidelines. These shorter ids would take less space in storage as well. This could be really beneficial to sites with large numbers of sessions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wt