[question] do I need keys?

Question

[question] do I need keys?

korrasami opened this issue 4 years ago · 4 comments

For each keyPair in NewCookieStore(keyPairs ...[]byte), I see we can set one value (for HMAC) or two values (for HMAC and AES). My question: which is enough to guarantee security:
a) no keys
b) HMAC only
c) HMAC + AES keys

I'm pretty new when it comes to security.

Obviously I don't want my session cookies compromised in any way. My cookie only contains the session ID, which is a V4 UUID. I don't want the case where an attacker can forge a session cookie with whichever session ID. Though they'll also have to guess a session ID that's active.

My keys will be of length 32 in base 64.

Answer 1 · 2020-10-31T00:09:09.000Z

One key is fine, and preferred. You should generally not be storing private data in the cookie itself, just an identifier (as you do), which means that encryption is unnecessary.

Answer 2 · 2020-10-31T00:21:04.000Z

One key is fine, and preferred.

One key as in a single keyPair with only HMAC? Just curious, why is that preferred over HMAC + AES?

Also I realized (a) isn't an option as NewCookieStore doesn't have a constructor with no keyPairs. Otherwise I was thinking that even no keyPairs would be secure for me. Attackers could pass in whatever session ID they wanted but since I'm using V4 UUIDs, it's not brute-forceable.

Answer 3 · 2020-10-31T00:39:48.000Z

One key as in a single keyPair with only HMAC?

sessions.NewCookieStore([]byte(YOUR_KEY))

Answer 4 · 2020-12-31T20:24:36.000Z

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.