- It doesn't use a hashing algorithm. It uses
uid(n)generates random, unpredicable, values:
generateSessionIdis here: https://github.com/expressjs/session/blob/2d54f0dca1506883bebc634fcb7135c2f02c47cd/index.js#L507
- ...which calls
- ...which is in the
- ...which generates cryptographically safe random numbers. Session-identifiers must be unpredictable.
- Session identifiers (in any context, really) should not be based on a hash of anything anyway because:
- Session content tends to be mutable, not immutable, so using a hash of a session's state or content would make it impossible to retrieve it after it's been changed.
- If two users have the same session-state then they'd have the same session-id value, which is not what you intend.
Dai posted this