use secure uuid.v4 as session cookie secret

Otto-AA · Otto-AA · commit f824eb961591 · 2023-02-12T03:39:33.000+01:00
uuid.v1 is considered insecure and thus the secret could be bruteforced. Instead this will use uuid.v4 which includes proper randomness
diff --git a/lib/create-app.js b/lib/create-app.js
@@ -302,7 +302,7 @@ function initAuthentication (app, argv) {
 function sessionSettings (secureCookies, host) {
   const sessionSettings = {
     name: 'nssidp.sid',
-    secret: uuid.v1(),
+    secret: uuid.v4(),
     saveUninitialized: false,
     resave: false,
     rolling: true,
