Why session secrets matter
Most session middleware — Express's express-session, Flask's built-in sessions, Rails' cookie store — signs the session cookie with a secret key before sending it to the browser. If an attacker can guess or brute-force that secret, they can forge a valid session cookie and impersonate any user without ever touching your database.
The fix is simple: use a long, random, unpredictable secret and never commit it to source control. This tool generates one in your browser with crypto.getRandomValues — the same CSPRNG used by OpenSSL — so nothing is ever transmitted.
Adding it to your project
# .env
SESSION_SECRET=<paste generated value here>// Express
import session from "express-session";
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
}));# Flask
app.config["SECRET_KEY"] = os.environ["SECRET_KEY"]Rotating a session secret
Rotating SESSION_SECRET invalidates every existing session — all logged-in users get signed out. Some libraries (like Express's express-session with an array of secrets) support rotation without a hard cutover: pass [newSecret, oldSecret] so old sessions still verify while new ones use the new key, then drop the old one after a grace period.