13Şub
Login, logout, session ID hashing and logging
The session ID is a randomly generated string (node, crypto) of minimum 32 chars. The session ID will be stored in a NoSQL sessions table as well as in the main SQL database. I will use SHA-512 as the hash function on the session ID wherever it is stored. I am choosing 512 over 256 for future proofing.
In place of a user_login table, my plan is to have a single table of user_session: -
user_session - id, user_id (FK), session_id (SHA-512 hash), created_at, destroyed_at
This will allow me to: -
- Look up a user's last successful login ("You last logged in at")
- Log session destructions
- Proactively destroy all user sessions if a user is banned/deleted by deleting all sessions from the NoSQL session store if session ID is in
SELECT session_id FROM user_session WHERE user_session.id = THE_USER_ID - Log and link to a specific session ID any sensitive actions that I may wish to have a log of by hashing the current session ID.
Can anyone see any flaws in this? I think this is safe, practical and performant but I would like to hear the opinions of others.
