.env · security🔥 popular

Session Secret Generator

Generate a cryptographically strong session secret for Express, Flask, CSRF tokens, and cookie signing. All in-browser — nothing is sent to any server.

Be the first to rate
generated locally · crypto.getRandomValues · nothing sent anywhere
Express / connect-session Secret
Base64url, 32 bytes — used to sign the session ID cookie
Secret value
.env line
SESSION_SECRET=
Flask SECRET_KEY
Hex, 32 bytes — matches Python's secrets.token_hex(32)
Secret value
.env line
SECRET_KEY=
CSRF Secret
Base64url, 32 bytes — for CSRF token signing (csurf, Django, Rails)
Secret value
.env line
CSRF_SECRET=
Cookie Signing Secret
Base64url, 32 bytes — signs cookie-parser / cookie-session cookies
Secret value
.env line
COOKIE_SECRET=
Session Secret (high entropy)
Base64url, 48 bytes — extra margin for long-lived sessions
Secret value
.env line
SESSION_SECRET=

What it does

  • Presets for Express/connect-session, Flask, CSRF, and cookie signing
  • Base64url and hex output, matching each framework's expected format
  • Runs entirely in-browser with crypto.getRandomValues
  • One-click copy of raw value or full .env line

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Setting up session-based auth in Express, Koa, or Flask for the first time
  • Rotating a session secret after a suspected leak
  • Generating a separate CSRF_SECRET instead of reusing SESSION_SECRET
  • Filling in a .env.example placeholder before your first deploy

Common mistakes

  • Hardcoding SESSION_SECRET as a short string like 'keyboard cat' in production
  • Reusing the same secret across sessions, CSRF, and cookie signing
  • Committing the secret to git instead of loading it from the environment
  • Not rotating the secret when a team member with access leaves

Why session secrets matter

Most session middleware — Express's express-session, Flask's built-in sessions, Rails' cookie store — signs the session cookie with a secret key before sending it to the browser. If an attacker can guess or brute-force that secret, they can forge a valid session cookie and impersonate any user without ever touching your database.

The fix is simple: use a long, random, unpredictable secret and never commit it to source control. This tool generates one in your browser with crypto.getRandomValues — the same CSPRNG used by OpenSSL — so nothing is ever transmitted.

Adding it to your project

# .env
SESSION_SECRET=<paste generated value here>
// Express
import session from "express-session";
app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
}));
# Flask
app.config["SECRET_KEY"] = os.environ["SECRET_KEY"]

Rotating a session secret

Rotating SESSION_SECRET invalidates every existing session — all logged-in users get signed out. Some libraries (like Express's express-session with an array of secrets) support rotation without a hard cutover: pass [newSecret, oldSecret] so old sessions still verify while new ones use the new key, then drop the old one after a grace period.

Frequently asked questions

What is a session secret used for?

A session secret signs the session ID cookie your server sends to the browser (e.g. express-session's connect.sid). Signing proves the cookie wasn't tampered with — without it, anyone could forge a session ID and hijack another user's session.

How long should SESSION_SECRET be?

At least 32 random bytes (256 bits) of entropy. Anything shorter is brute-forceable with modern hardware. This tool defaults to 32 bytes base64url-encoded, with a 48-byte high-entropy option for long-lived sessions.

Is a session secret the same as a JWT secret?

They serve a similar purpose — signing a token to prevent tampering — but they're used in different systems. A session secret signs a server-side session cookie; a JWT secret signs a stateless token verified without a database lookup. If you need a JWT signing key instead, use our dedicated JWT Secret Generator.

Can I use the same secret for SESSION_SECRET and CSRF_SECRET?

No. Use a different random value for each purpose. If one leaks, you don't want it to compromise every other signed value in your app. This tool generates independent secrets for sessions, CSRF, and cookie signing.

Is the generated secret uploaded or stored anywhere?

No. Every value is generated in your browser using crypto.getRandomValues — nothing is sent to any server.

Related tools

Learn more

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.