CSRF: Move from 10 Bytes to 9 or 12.

Question

CSRF: Move from 10 Bytes to 9 or 12.

Opened this issue 7 years ago · 0 comments

Currently, Lusca's CSRF module generates 10 bytes of random data. With Base64 conversion, session secrets include two equal sign characters. Is there a specific reason 10 bytes has been chosen? It would be possible to save two characters on every user session if the length was changed.

crypto.pseudoRandomBytes(LENGTH).toString('base64');

source

Further, it appears pseudoRandomBytes is now deprecated and it might be time to move to randomBytes (not sure if it's deprecated or just removed from the documentation now). Since session secrets by design must be cryptographically secure, I'm not sure why pseudoRandomBytes has been chosen.

PROPOSAL: Change line 18 of token.js (above) to use 12 bytes and use RandomBytes(cb);