we want to use Node-Red, but our security-team requests, that the SessionID of a web-applications for every user has to be unpredictable randomised (PRNG) with at least 128bit entropy.
I tried to search for that without any clear answer.
So my question is, does Node-Red fits these requirements and is documented anywhere or can it be configured like this?
Or ist this realated to OS?
The tokens are generated as 128 character random hex strings using node's built-in Math.random function, which does have 128bit entropy from the v8 engine - https://v8.dev/blog/math-random
Whether that is sufficient for your needs, I can't say.
Now I look at it again, there are probably better alternatives to Math.random built into node.js that we ought to move over to. Something for the next release.
thanks for your fast response!
I thought about the session token for the editor itself.
So your answer is perfect for me and if you will implement better solutions you know, this would be very nice, of course.
Is the SessionID different for applications created with Node-Red?
You caught me at the right time with this question - just pushed a commit that moves over to node's crypto.randomBytes function for all of our token/session generation. Will be in the next release.
(By "right time" I mean: "I have lots I should be doing, but finding plenty of distractions to keep me busy")
Yes - because the built-in HTTP nodes do not have any session handling built into them. It is up to the Application Developer to create whatever session handling they need.