Generating Session IDs

In this lesson, we'll see how secure session IDs are generated.

Using incremental session IDs is a bad choice

It should go without saying, but your session IDs (often stored in cookies) should not resemble a known pattern or be generally guessable. Using an auto-incrementing sequence of integers as IDs would be a terrible choice, as an attacker could just log in, receive the session ID X and then replace it with X ± N, where N is a small number to increase chances of that being an identifier of a recent, valid session.

Generating secure IDs

The simplest choice would be to use a cryptographically secure function that generates a random string. This is usually not a hard task to accomplish. Let’s take the Beego framework, very popular among Golang developers, as an example; the function that generates session IDs is

Get hands-on with 1200+ tech skills courses.