[Feature Request]: Allow signing of sessions

[tobiasdiez]

Description

While it is not a huge increase of security, it is generally advised to hash/sign session ids before sending them out to the user. The main advantages are:

• Using a predetermined secret, it is possible to detect if someone tampered with the session id (ie its possible to detect the difference between an expired and an invalid session).
• Might hide possible security vulnerabilities coming from the session id generation
• It is not possible for an attacker to impersonate users even if they got access to the session database
• If you store the expire date of the session as well, one might be able to save a database request (for expired sessions)

Implementation: See e.g. https://github.com/expressjs/session/blob/1010fadc2f071ddf2add94235d72224cf65159c6/index.js#L541-L550 in express-session or unjs/h3#315 in h3.

Discussions:

• https://security.stackexchange.com/questions/92122/why-is-it-insecure-to-store-the-session-id-in-a-cookie-directly
• https://security.stackexchange.com/questions/63435/why-use-an-authentication-token-instead-of-the-username-password-per-request/63438#63438

[pilcrowOnPaper]

The benefit of signing cookies is minimal so I'm not sure if it's worth supporting it. I'm not a very big fan of using callback functions either:

lucia({
  sessionCookie: {
    parseSignedCookie: (cookie: string) => {
      const parsedCookie = parse(cookie);
      // I really don't like requiring `if` statements inside options
      if (parsedCookie === null) return null;
      if (parsedCookie.expires > Date.now()) return null;
      return parsedCookie.sessionId;
    },
    signCookie: (session: Session) => {
      return signCookie(session.sessionId, session.idleExpires);
    }
  }
})

Lucia already exposes low level APIs (e.g Auth.validateSession()), and I'd rather have users build on top of it instead of hacking into Lucia's internals.

[tobiasdiez]

I think it would already be sufficient to expose config option secrets (an string array). If this is passed, lucia internally signs the session id in the cookie.

In your example, in the case if (parsedCookie === null) return null; you probably also want to log the request - since it means someone tampered with the cookie.

[pilcrowOnPaper]

I'm going to keep this open since I think it's worth having the discussion (for v4), but it won't be implemented in the near feature (within v3.x) since we'll have to introduce breaking changes.

[jckw]

I just contributed to the bounty on this issue.

Each contribution to this bounty has an expiry time and will be auto-refunded to the contributor if the issue is not solved before then.

To make this a public bounty or have a reward split, the maintainer can reply to this comment.