Skip to content

Session Token Length #6755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gregorskii opened this issue Jun 25, 2020 · 2 comments
Closed

Session Token Length #6755

gregorskii opened this issue Jun 25, 2020 · 2 comments

Comments

@gregorskii
Copy link

Issue Description

OWASP recommends session tokens should be 128 bit. Parse sessions are currently 32 bit:

parse-server/src/cryptoUtils.js

Line 43 in de79b70

return randomHexString(32);

https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length

Steps to reproduce

No reproduction needed, code attached.

Expected Results

Session token to be a minimum of 128 bits, or be of configurable length for flexibility.

Actual Outcome

Session tokens are 32 bit.

Environment Setup

  • Server

    • parse-server version : 4.2.0
    • Operating System: Linux
    • Hardware: Ubuntu / Cloud Server
    • Localhost or remote server? GCS

  • Database

    • MongoDB version: 3.6.18
    • Storage engine: N/A
    • Hardware: N/A
    • Localhost or remote server? Cloud Atlas
@mtrezza mtrezza mentioned this issue Jun 26, 2020
Closed
@mtrezza
Copy link
Member

mtrezza commented Jun 26, 2020
edited
Loading

The current session token has 32 HEX characters, that's 128 bit entropy, so we should be good.

@gregorskii
Copy link
Author

Derp thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gregorskii @mtrezza