You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Session ID generation can be done in any way that an application likes, but there is a helper provided (not required to be used) which uses System.Entropy.getEntropy -- so I don't think the helper produces weak session ids, but even if it did it's not required (since sessions IDs aren't even required, see above)
Session fixation and lack of session invalidation is true of some backends, the middleware itself doesn't handle this generally for all possible backends, so that's fair of the abstract case
There is no out-of-the-box support for TokyoCabinet and never has been -- only out-of-the-box support for in-memory sessions (which are realistically only for testing or very small cases where security is not important) -- backends exist out of package (not "out-of-the-box") for tokyocabinet, postgres, mysql, clientsession, and serversession
The text was updated successfully, but these errors were encountered:
Not a big deal, but just a few nits about the comparison to my
wai-sessionpackage:wai-sessionis not only server-side sessions (see, for example, https://hackage.haskell.org/package/wai-session-clientsession)System.Entropy.getEntropy-- so I don't think the helper produces weak session ids, but even if it did it's not required (since sessions IDs aren't even required, see above)The text was updated successfully, but these errors were encountered: