Documentation
¶
Overview ¶
Package security provides cryptographic utilities for session token binding and hijacking prevention. It handles HMAC-SHA256 token hashing, salt generation, and constant-time comparison to prevent timing attacks.
Index ¶
Constants ¶
const (
// SHA256HexLen is the length of a hex-encoded SHA256 hash (32 bytes = 64 hex characters)
SHA256HexLen = 64
)
Variables ¶
This section is empty.
Functions ¶
func GenerateSalt ¶
GenerateSalt generates a cryptographically secure random salt for token hashing. Returns 16 bytes of random data from crypto/rand.
Each session should have a unique salt to provide additional entropy and prevent attacks that work across multiple sessions.
func HashToken ¶
HashToken returns the hex-encoded HMAC-SHA256 hash of a raw bearer token string. Uses HMAC with a server-managed secret and per-session salt to prevent offline attacks if session storage is compromised.
For empty tokens (anonymous sessions) it returns the empty string, which is the sentinel value used to identify sessions created without credentials. The raw token is never stored — only the hash.
Parameters:
- token: The bearer token to hash
- secret: Server-managed HMAC secret (should be 32+ bytes)
- salt: Per-session random salt (typically 16 bytes)
Security: Uses HMAC-SHA256 instead of plain SHA256 to prevent rainbow table attacks and offline brute force if session state leaks from Redis/Valkey.
Types ¶
This section is empty.
Source Files