crypto: Provide OWASP session management security recommendations

[jas-]

This will enable OWASP sessions management recommendations for implementations that may push sensitive information to a server side session.

[jas-]

@roccomuso I hope all is well. I was looking over the travis-ci build logs. Looks like this pr fails due to node v0.10 not supporting es6 class constructors. Is there a reason to support such a legacy version? I was looking over the latest LTS, it isn't even a blip on the radar and the last security patch was four years ago, unless I over looked something.

[roccomuso]

I don't know if it's worth introducing this complexity to the code. And if this is wanted at all.
The sessions are stored in-memory. Inside the process. If someone manage to get access to the server probably you'll have bigger problems than this.

[jas-]

Afternoon, while memory is typically considered more difficult to access than reading a file from disk or even a database store, today's malware includes memory scraping functionality that is trivial to implement.

Couple this with the ability of an attacker to use row hammer attack techniques against memory as a non privileged user or process does indeed put the security of the session at risk.

However, it is your module and if you wish to reject it that is your prerogative. Have a good one.