Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I’m trying to understand how Kratos works and I came across one issues that bothers me. Considering the quality of your blog post, I thought I could ask the source rather than trying to find the answer on my own.

User sessions are stored in `sessions` table. Column `token` stores session token in plaintext. Many people advice that session tokens should be hashed to provide additional protection. After all, this value can be used directly to impersonate any user registered in Kratos.

I know I shouldn’t compare session tokens to user passwords (cause passwords could potentially be reused in other websites, they are not autogenerated and revoking them is more painful compared to session tokens etc.) and I think I partially know the answer to my own question but it would be nice to get some professional feedback from you.

Thanks in advance!