Can I disable encryption for a simple SID?

[jtlapp]

If I'm only using a session ID with no extra data, encrypting it doesn't buy me anything. Is there a way to turn off encryption? I'd rather not waste the clock cycles if I don't have to.

I'll be storing session ID hashes on the server, no keys. That way should someone breach the server, they'll be forced to muck with the server and risk detection and not also have the option of silently spoofing users of their choosing.

I'll be happy to trust keys when I can keep them in an HSM. Thanks!

[Marsup]

Unlikely to happen considering #100.

[jtlapp]

Thanks for pointing me to that conversation. I also don't need the expense of conversion to and from JSON. I'll look elsewhere.

[jtlapp]

I was just scanning through an old session implementation of mine and noticed that I am doing a sig check but no encryption/decryption, not to verify that I can trust the data, but to prevent a DDoS attack from barraging the database. On success, I'd check the session hash against the DB (or cache), because absent HSM, we have to store the signing secret plaintext.

Do you have measures in place for keeping DDoS from excessively consuming clock cycles in decryption or JSON deserialization? Do you limit token or JSON string sizes before decrypting or deseriailzing?

See also auth0/node-jsonwebtoken#212

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.