use of uuid4.hex() for token generation is not secure

[socketpair]

binascii.b2a_base64(os.urandom(24))[:-1] is faster and much secure since:

1. does not involve uuid, that is not suitable for secure token generations
2. use OS provided much more secure random as opposed to python random
3. generate 32-byte length string too, but, 64**24 = 2**144 random items, while your way generates 256**16 = 2**128 variants

it needs to be checked for special symbols like / and +

[MitchellChu]

Thanks for your comment. in my opinion, slash and plus are legal in cookies' value. What is the risk for generate token with base64 directly?

[socketpair]

base64 is just a way to encode binary value. It have nothing common with generating random data.

[socketpair]

If you ask about base64 module — it is just wrapper over binascii module — see sources. Using binascii directly is just faster in you case.

[MitchellChu]

this feature is added in version 1.1.5, thank you for your suggestion.