Should session ID cookie be signed?

Question

I was using the Node library https://github.com/expressjs/session and noticed that it requires a secret to be specified for signing the session ID cookie.

If just the session ID is being stored in the cookie, and not any data, what is the use in signing the cookie?

My reasoning is that if someone wanted to modify a session ID cookie, then that's fine if the session ID sufficiently long to prevent brute force attacks. Am I missing something?

Answer 1

I questioned this as well and the only answers I could think of were,

• a) If someone (for no good reason?) changes the default session ID generation to a non-cryptographically random session ID, signing it helps prevent attackers generating valid session IDs.
• b) Reduce round trips to the session store by validating the session ID using the signature/HMAC. (I can only imagine this being a problem for DoS attacks).

Both seem like valid reasons though using good session caching would negate the need for b) and assuming your library's users are daft enough to change the default session ID generation, it seems a bit much to safe-guard against their own stupidity when the majority of users would just use the default generation algorithm.