svelte-kit-cookie-session icon indicating copy to clipboard operation
svelte-kit-cookie-session copied to clipboard

Published 20 hours ago verified publisher icon pixelmund

Security of Hashing Algorithm

Open tcc-sejohnson opened this issue 1 year ago • 2 comments

Edit: sorry for the initial confusing title -- GitHub mobile is kind of weird.

Hey there! I hate asking questions via GitHub issues, but I wasn't sure how else to get in touch. 🙂 I wanted to double check: Is the method of encrypting the cookie considered cryptographically secure? I use OAuth, which requires me to manage access tokens, which I would normally stick into my session on the server side. Using this library, that means they'd be sent to the client (which is traditionally unsafe, but should be fine so long as they're part of an "unbreakable enough" encryption that I can rotate regularly). It looks like they are, but I just need to make sure!

tcc-sejohnson avatar Aug 09 '22 23:08 tcc-sejohnson

Hey! I'm by no means a security expert, but the algorithm used aes-gcm 128 should be cryptographically secure and sufficient for your needs!

pixelmund avatar Aug 10 '22 06:08 pixelmund

@pixelmund

Yep, that algorithm should be fine.

One last question. Is the hook expecting to infinitely increment the secret ID, or is there a point at which it would be OK to reuse an ID that had been rotated out of use long ago?

tcc-sejohnson avatar Aug 13 '22 19:08 tcc-sejohnson

Sorry for the late response, was quite busy. I think you should be infinitely incrementing the secret ID, just to be sure.

pixelmund avatar Aug 25 '22 08:08 pixelmund