Simplest secure way to create session cookies


Background: I’ve been using a simple session cookie design for my web app. I have a users table, and a sessions table that basically looks like this:

 id  | user_id | visited_at -----+---------+-----------  int | int     | timestamp 

And a session cookie contains just a session ID, signed with a secret key. I give the cookie an expiration date (but the source of truth is still the timestamp in the DB), and make sure it’s secure and HTTP-only.

Then I came across these threads:

  • https://news.ycombinator.com/item?id=16157002#16159301
  • https://news.ycombinator.com/item?id=16006394

I think tptacek is basically saying that, instead of storing the signed session ID in the cookie, I can make the sessions table like this:

 id      | user_id | visited_at ---------+---------+-----------  varchar | int     | timestamp 

…where id is a randomly generated 16+ byte key encoded as a string, and simply store this string in the session cookie w/o any encryption/signing.

Is this approach secure? Does it have any downsides due to the lack of a signing phase? (I was thinking w/o signing we can’t invalidate all sessions by changing the server secret, but then I think we can just delete all the session from the DB since we are not doing stateless authentication anyway.)

UPDATE: I think maybe one benefit of the signing approach is that I can save some space in my DB by using an integer primary key. But I’m more interested in the security aspect.