specify that session ID should be cryptographically safe

Question

specify that session ID should be cryptographically safe

Opened this issue 5 years ago · 0 comments

There is a chance that if session ID's are chosen poorly they can be vulnerable to brute force attacks. We should use window.crypto in the sample code and we should specify in the spec that we should use crypto safe randomly generated numbers.