torndsession
torndsession copied to clipboard
use of uuid4.hex() for token generation is not secure
binascii.b2a_base64(os.urandom(24))[:-1]
is faster and much secure since:
- does not involve uuid, that is not suitable for secure token generations
- use OS provided much more secure random as opposed to python random
- generate 32-byte length string too, but,
64**24 = 2**144
random items, while your way generates256**16 = 2**128
variants
it needs to be checked for special symbols like /
and +
Thanks for your comment. in my opinion, slash and plus are legal in cookies' value. What is the risk for generate token with base64 directly?
base64 is just a way to encode binary value. It have nothing common with generating random data.
If you ask about base64 module — it is just wrapper over binascii module — see sources. Using binascii directly is just faster in you case.
this feature is added in version 1.1.5, thank you for your suggestion.