Session Secret Generator
Generate a secure random session secret for Express SESSION_SECRET, Flask/Django SECRET_KEY, and signed cookies - Base64, Base64URL, and Hex formats
[ Session Secrets - Quick Summary ]
What: Generate a cryptographically secure random session secret used to sign and encrypt session cookies. Supports Base64, Base64URL, Hex, and Alphanumeric encodings with configurable byte lengths (16-128 bytes, 128-1024 bits of entropy). Uses CSPRNG (PHP random_bytes) so the value cannot be predicted or brute-forced.
When to use: Setting SESSION_SECRET for Express / express-session, SECRET_KEY for Flask and Django, the signing key for cookie-session and JWT session middleware, or any framework that signs session IDs and cookies. Drop the value into an environment variable - never hard-code it in source.
Example: k9Qm2X7pL4wV6sZ8aB1cD0eF3gH5jN7rT2yU4iO6pA= (Base64, 32 bytes, 256 bits entropy)
Security/Important: Use minimum 32 bytes (256 bits) for production session signing. Store the secret in an environment variable or secrets manager - never commit it to version control. Use a different secret per environment (dev/staging/prod). Rotating the secret invalidates all existing sessions and logs everyone out, so rotate deliberately. Keep it server-side only; it must never reach the browser.
Our session secret generator creates a secure random secret key for signing and encrypting session cookies. Generate a session secret in Base64, Base64URL, Hex, or Alphanumeric encoding with configurable byte lengths (16-128 bytes) using a cryptographically secure random number generator (CSPRNG). Perfect for the Express SESSION_SECRET, Flask and Django SECRET_KEY, Koa and Fastify cookie signing, and any middleware that needs a strong secret key. Session secrets are used server-side to compute an HMAC over the session ID so a tampered cookie is rejected - they must be long, random, and kept out of your source code. Use our generator to create the value once, paste it into your .env file, and reference it from configuration. Related tools: an encryption key generator for AES/data-at-rest keys, a Laravel APP_KEY generator, and a bearer token generator for OAuth 2.0 access tokens. All secrets use CSPRNG for maximum unpredictability.
What is a Session Secret Generator?
A session secret generator creates the random key your web framework uses to sign (and optionally encrypt) session cookies. When a user logs in, the server stores a session and hands the browser a cookie containing the session ID. To stop an attacker from forging or tampering with that cookie, the framework computes an HMAC of the cookie value using a server-side secret - the session secret. On each request the signature is recomputed and compared; if it does not match, the cookie is rejected. Because the security of every session depends on this one value, it must be long, unpredictable, and impossible to guess. Our generator uses a cryptographically secure random number generator (CSPRNG via PHP's random_bytes) so the output has full entropy.
Different frameworks name the value differently but the requirement is the same: Express with express-session uses SESSION_SECRET, Flask and Django use SECRET_KEY, Koa's cookie signing uses an array of keys, and Laravel signs sessions with its APP_KEY. Choose a byte length of at least 32 bytes (256 bits) for production and pick an encoding your framework accepts - Base64 and Hex are the most common. Generate the secret once, store it in an environment variable or a secrets manager, and use a distinct value for each environment. Never place a session secret in client-side code or check it into version control.
Session Secret Generator Configuration
Count (1-50 Secrets)
Byte Length (16-128 bytes)
Encoding Format
How to Generate a Session Secret
[STEP 1] Choose Length and Format
Select 32 bytes (256 bits) for production and pick an encoding - Base64 is a safe default for SESSION_SECRET and SECRET_KEY. Use 64 bytes for high-security applications. Set count to 3 if you want a separate secret for dev, staging, and production in one go.
[STEP 1] Generate the Secret
Click EXECUTE GENERATION to create session secrets with CSPRNG security. Each secret displays with a Copy button and shows its byte length, entropy bits, and strength assessment (weak/fair/good/strong/very_strong). All secrets use PHP's random_bytes for cryptographic randomness.
[STEP 1] Store It in an Environment Variable
Paste the secret into your .env file, for example SESSION_SECRET=... (Express) or SECRET_KEY=... (Flask/Django). Reference it from configuration - process.env.SESSION_SECRET or os.environ["SECRET_KEY"]. Never hard-code the value or commit the .env file.
[STEP 1] Use a Distinct Secret Per Environment
Generate a different secret for each environment and store it in that environment's secrets manager (AWS Secrets Manager, Doppler, Vault, or your platform's config). Rotating the secret invalidates all active sessions, so plan rotations for maintenance windows.
Session Secret Best Practices
- _ Sufficient Length - Use at least 32 bytes (256 bits) of entropy for a production session secret. The secret is never sent to the client, so there is no downside to a longer value. Our generator uses CSPRNG (random_bytes) to guarantee unpredictability.
-
_
Environment Variables Only - Store the secret in an environment variable or a secrets manager, never in source code. Add
.envto.gitignore. A session secret committed to a public or shared repository must be treated as compromised and rotated immediately. - _ One Secret Per Environment - Use a different secret for development, staging, and production. Sharing a secret across environments means a leak in one environment compromises the others. Store each in that environment's dedicated configuration.
- _ Rotate Deliberately - Rotating the session secret invalidates every existing signed cookie and logs all users out. Support graceful rotation where possible (Express and Koa accept an array of keys - the first signs, the rest still verify) so you can roll the secret without a hard logout.
- _ Keep It Server-Side - A session secret must never reach the browser, appear in client-side JavaScript, or be exposed in an API response. It is used only to compute and verify signatures on the server. Combine it with Secure, httpOnly, and SameSite cookie flags for defense in depth.
- _ Encrypt Sensitive Sessions - If you store sensitive data in the session payload (not just an ID), pair the signing secret with encryption using a dedicated encryption key. Signing proves integrity; encryption provides confidentiality.
Technical Implementation
Our session secret generator uses PHP's random_bytes (CSPRNG) ensuring cryptographic randomness, then encodes the bytes in your chosen format:
// Session Secret Generation Algorithm
Algorithm: Cryptographically Secure Random Secret Generation
// Step 1: Generate Random Bytes
byte_length = 32 (configurable: 16-128 bytes)
random_bytes = random_bytes(byte_length) // PHP CSPRNG
// Example: 32 bytes = 256 bits of entropy
// Step 2: Encode Based on Format
if (format == "base64") then:
secret = base64_encode(random_bytes)
// Example: k9Qm2X7pL4wV6sZ8aB1cD0eF3gH5jN7rT2yU4iO6pA=
else if (format == "base64url") then:
secret = base64_encode(random_bytes)
secret = strtr(secret, '+/', '-_') // URL-safe chars
secret = rtrim(secret, '=') // Remove padding
else if (format == "hex") then:
secret = bin2hex(random_bytes)
// Example: c87de4...93f (64 hex chars for 32 bytes)
else if (format == "alphanumeric") then:
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
secret = ''
for i = 0 to (byte_length * 2) do:
secret += charset[random_int(0, 61)]
// Step 3: Use in your framework (environment variable)
// Express: SESSION_SECRET=
// Flask: SECRET_KEY=
// Django: SECRET_KEY=
API Access for Developers
Frequently Asked Questions
What is a session secret and why do I need one?
What should I set SESSION_SECRET to in Express?
session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: false }). Do not hard-code the string. express-session also accepts an array of secrets - the first signs new cookies and the rest still verify old ones, which lets you rotate the secret without logging everyone out. Use Base64 or Hex encoding.
Is SECRET_KEY in Flask or Django the same thing?
SECRET_KEY serves the same role as Express's SESSION_SECRET: it signs session cookies (and in Flask, other signed values like CSRF tokens and flash messages). Generate at least 32 bytes of CSPRNG randomness, store it in an environment variable, and load it in config (app.config["SECRET_KEY"] = os.environ["SECRET_KEY"] for Flask, SECRET_KEY = os.environ["SECRET_KEY"] in Django settings). Never use the default or example key in production.
How long should a session secret be?
What happens when I rotate the session secret?
Where should I store the session secret?
.env file that is excluded from version control, or in a dedicated secrets manager (AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, Doppler, or your host's config vars). Never commit it to git, never embed it in client-side code, and never expose it in an API response or log line. Use a distinct secret for each environment so a leak in one does not compromise the others.
[ HOW TO CITE THIS PAGE ]
Generate-Random.org. (2026). Session Secret Generator. Retrieved from https://generate-random.org/session-secrets
Session Secret Generator - Generate-Random.org (https://generate-random.org/session-secrets)