Generating Session IDs
In this lesson, we'll see how secure session IDs are generated.
We'll cover the following
Using incremental session IDs is a bad choice
It should go without saying, but your session IDs (often stored in cookies) should not resemble a known pattern or be generally guessable. Using an auto-incrementing sequence of integers as IDs would be a terrible choice, as an attacker could just log in, receive the session ID X
and then replace it with X ± N
, where N
is a small number to increase chances of that being an identifier of a recent, valid session.
Generating secure IDs
The simplest choice would be to use a cryptographically secure function that generates a random string. This is usually not a hard task to accomplish. Let’s take the Beego framework, very popular among Golang developers, as an example; the function that generates session IDs is
Get hands-on with 1400+ tech skills courses.