Mention possible timing attack on session validation (#1802)

pilcrowonpaper · web-flow · commit 98f9bd8d023d · 2025-06-08T23:34:26.000+09:00
diff --git a/pages/lucia-v3/migrate.md b/pages/lucia-v3/migrate.md
@@ -14,7 +14,7 @@ We ultimately came to the conclusion that it'd be easier and faster to just impl
 
 Replacing Lucia v3 with your own implementation should be a straight-forward path, especially since most of your knowledge will still be very useful. No database migrations are necessary.
 
-If you're fine with invalidating all sessions (and signing out everyone), consider reading through the [new implementation guide](/sessions/basic).
+If you're fine with invalidating all sessions (and signing out everyone), consider reading through the [new implementation guide](/sessions/basic). The new API is more secure and patches out a very impractical timing attack (see code below for details).
 
 ### Sessions
 
@@ -46,6 +46,13 @@ export function createSession(dbPool: DBPool, userId: number): Promise<Session>
 
 export function validateSession(dbPool: DBPool, sessionId: string): Promise<Session | null> {
 	const now = Date.now();
+
+	// This may be vulnerable to a timing attack where an attacker can measure the response times
+	// to guess a valid session ID.
+	// A more common pattern is a string comparison against a secret using the === operator.
+	// The === operator is not constant time and the same can be said about SQL = operators.
+	// Some remote timing attacks has been proven to be possible but there hasn't been a successful
+	// recorded attack on real-world applications targeting similar vulnerabilities.
 	const result = dbPool.executeQuery(
 		dbPool,
 		"SELECT id, user_id, expires_at FROM session WHERE id = ?",
diff --git a/pages/sessions/basic.md b/pages/sessions/basic.md
@@ -6,7 +6,7 @@ title: "Basic session implementation"
 
 ## Overview
 
-Sessions are stored in a database with their ID and hash of the secret. The secret is hashed before storage to minimize the impact of breaches and leaks. Once a token is lost, the server cannot re-issue it.
+Sessions have an ID and secret. We're using a separate ID and secret to prevent any possibility of a timing attacks. The secret is hashed before storage to minimize the impact of breaches and leaks.
 
 ```ts
 interface Session {
@@ -16,7 +16,7 @@ interface Session {
 }
 ```
 
-Tokens issued to clients include both the ID and secret:
+Tokens issued to clients include both the ID and un-hashed secret.
 
 ```
 <SESSION_ID>.<SESSION_SECRET>
