Background: I’ve been using a simple session cookie design for my web app. I have a
users table, and a
sessions table that basically looks like this:
id | user_id | visited_at -----+---------+----------- int | int | timestamp
And a session cookie contains just a session ID, signed with a secret key. I give the cookie an expiration date (but the source of truth is still the timestamp in the DB), and make sure it’s secure and HTTP-only.
Then I came across these threads:
I think tptacek is basically saying that, instead of storing the signed session ID in the cookie, I can make the
sessions table like this:
id | user_id | visited_at ---------+---------+----------- varchar | int | timestamp
id is a randomly generated 16+ byte key encoded as a string, and simply store this string in the session cookie w/o any encryption/signing.
Is this approach secure? Does it have any downsides due to the lack of a signing phase? (I was thinking w/o signing we can’t invalidate all sessions by changing the server secret, but then I think we can just delete all the session from the DB since we are not doing stateless authentication anyway.)
UPDATE: I think maybe one benefit of the signing approach is that I can save some space in my DB by using an integer primary key. But I’m more interested in the security aspect.