Update app auth config session ID generation to include a prefix#64457
Draft
gabrielcorado wants to merge 2 commits intomasterfrom
Draft
Update app auth config session ID generation to include a prefix#64457gabrielcorado wants to merge 2 commits intomasterfrom
gabrielcorado wants to merge 2 commits intomasterfrom
Conversation
gabrielcorado
added
the
no-changelog
9 tasks
github-actions
bot
added
audit-log
greedy52
reviewed
Mar 10, 2026
| // appAuthConfigSessionIDPrefix is a prefix added to app auth config session | ||
| // IDs. The prefix includes a non-hex character ("u") so that it will never | ||
| // conflict with regular app session ID (which are hex values). | ||
| const appAuthConfigSessionIDPrefix = "auth" |
Contributor
There was a problem hiding this comment.
The prefix includes a non-hex character ("u")
interesting. so his allows us to keep the same length? any other alternative name than auth?
Contributor
Author
There was a problem hiding this comment.
Yes, we keep the same length. We could use anything that is non-hex, including a single character (for example, zXXXX). I've left it as auth so we have both a descriptive indicator and also avoid conflicts with regular app sessions, but I'm open to suggestions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Raised in this thread.
With the addition of app auth config sessions, we can now generate session IDs from other values (using SHA256) instead of having them generated using a "crypto-strong pseudo-random generator". This change increased the chances of conflicting session IDs. Although the chances are still small, a conflict would cause the session to be overwritten, and existing clients would access a different session.
Given this, in this PR, we add a non-hex prefix to app auth config sessions, eliminating the chance of conflicting with regular app sessions.
IMPORTANT: The regular app session IDs remain unchanged, and this affects only sessions using app auth config.
Manual Test Plan
Test Environment
The environment requires using the branch from #62975, which introduces MCP sessions using app auth config. The test environment used was the same as the other PR; you can check there for more details.
With that setup, we need to generate a few (tested with 5) sessions (by starting the MCP client).
Test Cases
For each audit storage backend:
The following was tested:
tsh recordings lstsh play ssh-session-idAlthough programmatically those other parts are not affected, I also tested them since touch audit events:
tsh play -f json chunk-id(doesn't directly use the session ID, but has it on the events)