Recently I was digging into session management, and it appears to be a best practice to assign a session identifier to a hashed CSPRNG output.
session_identifier = hash(algorithm, CSPRNG(number_of_bits))
Why is this a good idea?
If we generate strong random session ids, do we still need the hash? Absolutely!
Hash functions are one-way, so theoretically it’s not possible to get the CSPRNG output. Which means … we can’t predict further CSPRNG outputs if we don’t even have one, right? (Assuming the attacker/observer doesn’t have access to the server where the CSPRNGs live.)
This is beginning to make sense. Perhaps one of the reasons they’re doing it is because systems might fall back to insecure CSPRNGs/RNGs.
But anyways, what are your guys’ thoughts? I’m new to cryptography, so I could be wrong about so many things.