I am working on an open source express app where I don't want to provide a default session secret. So I wanted to know if there would be any problems doing this:
app.use(session({
secret: require('crypto').randomBytes(64).toString('hex')
}))
The only problem I can think of is that if the app gets restarted the secret is lost so the cookies won't have a valid signature but I think I would prefer this than to have a default public secret. Are there anything other problems to this?
@horses are you using the MemoryStore? If so, all your sessions will be lost on restart anyway.
Does your app have any kind of config?
Does your app have any kind of config?
Yes, but if there are no other problems with randomly generating a secret it would be a tiny bit more convienent having one less config option
I don't think there are any other issues with using a random secret.
Correct, if you want, you can use a random secret and the sessions would only last the lifetime of the server. The other problem if you cannot horizontally scale your application, since if you load balance between two different instances, they will have different secrets. Just keep the limitations in mind is all (and you probably should provide a way for someone to configure the secret, but just default to the random one).
Thanks guys
Most helpful comment
Correct, if you want, you can use a random secret and the sessions would only last the lifetime of the server. The other problem if you cannot horizontally scale your application, since if you load balance between two different instances, they will have different secrets. Just keep the limitations in mind is all (and you probably should provide a way for someone to configure the secret, but just default to the random one).