I’m not sure what’s the option to store and manage session IDs for long lived sessions (3-6 months each).
Given that the session ID is generated with enough entropy and that the session ID is then given to the user via SSL and a Secure, HttpOnly cookie, these are the options I came up with for storing the session ID:
- Just store the session ID in plain text in the database or file system
- Pros: fast, easy
- Cons: any compromised backup or unauthorised access to the database gives access to all active sessions
- Give both a session ID and a session key to the user and hash the session key before storing them into the database
- Pros: secure both if the user compromises the server and the database
- Cons: possibly slow (IIRC cryptographically safe hashing functions are intended to be slow) for something that needs to occur at every request
- Create a signed JWT token over that session ID with a secret stored on the server
- Pros: probably faster than hashing, bigger tokens (as in length)
- Cons: not secure if both the server and database are compromised
What the recommended way to manage and most importantly store sessions?