Purpose of sha256 hashing a sessionId

[moshetanzer]

Hi,

if session is is being generated let’s say using uuid 4 and being saved in db and creating a cookie. What is the difference if you sha256 it first or you don’t. It can’t be unhased and is a random value?

[pilcrowonpaper]

It's an additional protection if your database gets leaked, which has happened before with insecure backups. Not required but it's pretty easy to implement

[moshetanzer]

export async function createSession(token: string, userId: number): Promise<Session> {
	const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
	const session: Session = {
		id: sessionId,
		userId,
		expiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30)
	};
	await db.execute(
		"INSERT INTO user_session (id, user_id, expires_at) VALUES (?, ?, ?)",
		session.id,
		session.userId,
		session.expiresAt
	);
	return session;
}

That isn't the case in the Lucia Postgres docs. They both being saved hashed?

[trasherdk]

Okay, that seems wrong, and not something I would do myself :)

[moshetanzer]

My mistake. He is setting actual cookie with token not with hash. See all the way at the end.

[moshetanzer]

My mistake. He is setting actual cookie with token not with hash. See all the way at the end.