2018-08-20 08:57


  • cookies
  • session
  • encryption
  • authentication

My query comes from trying to use session store for eg. RedisStore in Golang where the store takes a vararg as last argument which as per document are pairs of authentication and encryption keys.

Most of the examples I see just use a single argument here (for eg. "secret", "mysecret" etc.) and I couldn't get any information about what is achieved by sending multiple pairs of authentication and encryption keys.

Could someone please explain more or direct me to some information about the purpose of the authentication and encryption keys in session management using cookies.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • du958642589 du958642589 3年前

    From the docs:

    Keys are defined in pairs to allow key rotation, but the common case is to set a single authentication key and optionally an encryption key.

    The first pair is used for authentication, encryption and decryption, all other pairs are only used for authentication and decryption (but not encryption).

    This is a very common strategy for key rotation. A new key pair is generated regularly and becomes the new key for encryption. Some or all other keys are kept around so that existing data can still be decrypted for some time. The oldest key can be discarded eventually. This limits the impact of a disclosed key because it becomes useless after some time.

    Other software that uses this method:

    点赞 评论 复制链接分享