Session ID with PRNG

Hello there,

we want to use Node-Red, but our security-team requests, that the SessionID of a web-applications for every user has to be unpredictable randomised (PRNG) with at least 128bit entropy.

I tried to search for that without any clear answer.

So my question is, does Node-Red fits these requirements and is documented anywhere or can it be configured like this?
Or ist this realated to OS?

Thank you very much for your help!

Have a nice weekend

Are you referring to the login token used to access the Node-RED editor? Or is this about the application you'd like to create using Node-RED?

If this is regarding the session token for the editor, you can see the code used to generate the token here:

The tokens are generated as 128 character random hex strings using node's built-in Math.random function, which does have 128bit entropy from the v8 engine -

Whether that is sufficient for your needs, I can't say.

Now I look at it again, there are probably better alternatives to Math.random built into node.js that we ought to move over to. Something for the next release.

1 Like

Hi Knolleary,

thanks for your fast response!
I thought about the session token for the editor itself.
So your answer is perfect for me and if you will implement better solutions you know, this would be very nice, of course.

Is the SessionID different for applications created with Node-Red?

You caught me at the right time with this question - just pushed a commit that moves over to node's crypto.randomBytes function for all of our token/session generation. Will be in the next release.

(By "right time" I mean: "I have lots I should be doing, but finding plenty of distractions to keep me busy")

Yes - because the built-in HTTP nodes do not have any session handling built into them. It is up to the Application Developer to create whatever session handling they need.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.