Inaccurate comparison to wai-session #18
Description
Not a big deal, but just a few nits about the comparison to my wai-session package:
wai-sessionis not only server-side sessions (see, for example, https://hackage.haskell.org/package/wai-session-clientsession)- Session ID generation can be done in any way that an application likes, but there is a helper provided (not required to be used) which uses
System.Entropy.getEntropy-- so I don't think the helper produces weak session ids, but even if it did it's not required (since sessions IDs aren't even required, see above) - Session fixation and lack of session invalidation is true of some backends, the middleware itself doesn't handle this generally for all possible backends, so that's fair of the abstract case
- There is no out-of-the-box support for TokyoCabinet and never has been -- only out-of-the-box support for in-memory sessions (which are realistically only for testing or very small cases where security is not important) -- backends exist out of package (not "out-of-the-box") for tokyocabinet, postgres, mysql, clientsession, and serversession