1

I'm building my own session management library in the Go programming language and I had an interesting idea to save memory. I created something called an overseer that looks for expired and abandon sessions and wiped them from memory. The only downside of that is that I have a channel that holds all session names so overseer can repeatedly loop through them.

So, in order to keep sessions indexable by their name, I was thinking about appending sessions with a unique rotating validation token separated by some delimiter. e.g. session cookies would be stored as "sessionid|validationToken." Is this less secure or any different than rotating the entire session ID? Both validation token and session id will use UUID so they will be uniquely identifiable. Also, is this really any different than rotating the entire session id?

This is in reference to session fixation/session hijacking

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • If I understand correctly, you are wondering if salting session ids is more secure? – RocketSEA Oct 31 '18 at 06:11
  • Not necessary if it is more secure, but if it is at least equally as secure. Also, being completely absent minded, I originally forgot to mention that the validation token, which is essentially a salt, would rotate. – Cygnini - ShadowRi5ing Nov 01 '18 at 15:56
  • It's possible to implement sessions reasonably securely using no memory at all. Some more info [here](https://security.stackexchange.com/questions/49145/avoid-hitting-db-to-authenticate-a-user-on-every-request-in-stateless-web-app-ar) – paj28 Nov 01 '18 at 16:02

0 Answers0