Crank up that saltiness -- thanks @Plazmaz! (Note: This only affects …

…apps which explicitly do not provide their own session secret. In production, this is always accompanied by a warning message regardless.)
balderdashy · Mar 2, 2017 · b13c078 · b13c078
1 parent 8c7234d
commit b13c078
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/hooks/session/generateSecret.js b/lib/hooks/session/generateSecret.js
@@ -14,7 +14,7 @@ module.exports = function generateSecret() {
   // Combine random and case-specific factors into a base string
   var factors = {
     creationDate: (new Date()).getTime(),
-    random: Math.random() * (Math.random() * 1000),
+    random: crypto.randomBytes(64).toString('hex'),
     nodeVersion: process.version
   };
   var basestring = '';