Random Session ID?

[saiteja-madha]

Simplify the setup of SESSION_PASSWORD by automating random secret generation. This eliminates user confusion and reduces security risks.

[saiteja-madha]

Since this codebase is being used by beginners, I think we can create a script to help users fill in the .env

[imnaiyar]

How about we use uuid for that?

[imnaiyar]

Something like this would be sufficient i think

const { v4 } = require('uuid')
app.use(
      session({
        secret: v4(),
        cookie: { maxAge: 336 * 60 * 60 * 1000 },
        ...// other options
    )

[ItzDerock]

i dont think we need to introduce a whole dependency for this, just use node:crypto,

import { randomBytes } from "node:crypto";

session({ 
  secret: process.env.SESSION_PASSWORD ?? randomBytes(32).toString("hex"),
  ...
});

downside to this and the uuid approach is that upon reboot, the session secret will be different, thus invalidating all existing sessions. Prefilling the .env works fine for all non-docker users.

alternatively, we can just update the readme to include instructions on how to generate a random secret, such as running head /dev/urandom | tr -dc A-Za-z0-9 | head -c32 or link some website.

[saiteja-madha]

But won’t generating a random one and not the value be a problem?

I believe the session won’t be persisted after restart