Currently, if session ID's are enabled, we rotate them based on random chance
// Every so often, we want to rotate the session ID to mitigate its impact
var n = randomInteger(1, 10);
var k = window.location.hostname + "_sess-id";
var i = sessionStorage.getItem(k);
// If there's no item in storage, or if we've decided to rotate
if (!i || n == 5){
i = createUUID();
sessionStorage.setItem(k,i);
}
In theory it should rotate, on average, every 1:10 requests. However, it's equally possible (but unlikely) for it to remain the same for hundreds of requests.
As we're storing stuff in sessionStorage anyway, we should add a counter - if the ID has been used n times then we should force a rotation.
The random rotation should also be kept as it helps prevent correlation between requests
| #17 | Increase odds of Session ID rotating |
Activity
05-Apr-22 10:14
assigned to @btasker
05-Apr-22 11:05
mentioned in commit a7cd833843e83414da19317ba4ff4717f238d728
Commit: a7cd833843e83414da19317ba4ff4717f238d728 Author: B Tasker Date: 2022-04-05T12:03:54.000+01:00Message
Add a counter and rotate sessionID if it's been used too many times websites/privacy-sensitive-analytics#16
Using the default setting, a sessionID will be used at most 3 times, before being rotated.
The random chance of rotating is retained (although the odds should perhaps be increased)
05-Apr-22 11:07
This is implemented - the default used means that a session ID will be used, at most, 3 times before rotating.
The random rotation is kept, but might want to look at whether the odds should be adjusted - if we're rotating every 3 requests then a 1:10 chance of rotating probably doesn't add much uncertainty.
I'll raise a separate ticket for that though as it feels an important enough change to warrant documenting seperately
05-Apr-22 11:10
mentioned in issue #17
05-Apr-22 11:10
marked this issue as related to #17
05-Apr-22 11:10
changed title from Give session ID{-'-}s a max life-time to Give session IDs a max life-time