chore(webui): improve the randomness of session cookies

Closes #24
2025-04-23 00:16:36 +02:00 · 2025-04-23 00:16:36 +02:00 · 929657fd34
commit 929657fd34
parent 342e1d6328
2 changed files with 7 additions and 8 deletions
--- a/pkg/database/sessions.go
+++ b/pkg/database/sessions.go
@ -2,29 +2,28 @@ package database
 import (
 	"database/sql"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
 	"git.adyxax.org/adyxax/tfstated/pkg/model"
-	"go.n16f.net/uuid"
+	"git.adyxax.org/adyxax/tfstated/pkg/scrypto"
 )
 func (db *DB) CreateSession(account *model.Account) (string, error) {
-	var sessionId uuid.UUID
+	sessionBytes := scrypto.RandomBytes(32)
-	if err := sessionId.Generate(uuid.V4); err != nil {
+	sessionId := base64.RawURLEncoding.EncodeToString(sessionBytes[:])
 		return "", fmt.Errorf("failed to generate session id: %w", err)
 	}
 	if _, err := db.Exec(
 		`INSERT INTO sessions(id, account_id, data)
 		   VALUES (?, ?, ?);`,
-		sessionId.String(),
+		sessionId,
 		account.Id,
 		"",
 	); err != nil {
 		return "", fmt.Errorf("failed insert new session in database: %w", err)
 	}
-	return sessionId.String(), nil
+	return sessionId, nil
 }
 func (db *DB) DeleteExpiredSessions() error {
--- a/pkg/webui/sessions.go
+++ b/pkg/webui/sessions.go
@ -21,7 +21,7 @@ func sessionsMiddleware(db *database.DB) func(http.Handler) http.Handler {
 				return
 			}
 			if err == nil {
-				if len(cookie.Value) != 36 {
+				if len(cookie.Value) != 43 {
 					unsetSesssionCookie(w)
 				} else {
 					session, err := db.LoadSessionById(cookie.Value)