Feature Request: Add support for storing the session ID in the cookie as a signed value

[rktyt]

Body

Summary

Allow signing of the session ID before storing it in the cookie for improved security.

Background & Motivation

Other frameworks I’m using — such as Remix (@remix-run/node) and Fastify (@fastify/session with @fastify/cookie) — sign the session ID using HMAC.
In the case of Remix, it internally uses the cookie-signature library.

I'm not a security expert, but I asked ChatGPT about this topic, and based on its response, using a signed session ID appears to be a better practice. Here's a comparison it provided:

Criteria	Unsigned Session ID Approach	Signed Session ID Approach
Session ID secrecy	Shared with client (in cookie)	Known only to the server
Risk of session hijacking if cookie is leaked	Present (same in both)	Present (same in both)
Forgery protection (tamper detection)	None	Yes (via signature verification)
Possibility of guessing a valid session ID	Extremely low (if securely generated)	Even lower (signature is unpredictable)

From this, it seems that allowing the session ID to be signed would improve security.

Goals

• Make signing the session ID before storing it in the cookie the default behavior

[ascorbic]

I don't think there is a realistic threat here. The risk of guessing a valid session ID (which is created with randomUUID) is effectively nil, and just as unlikely whether it's signed or not, given the same ID length

[rktyt]

Just to add a follow-up note — here’s another reason why I think it would be beneficial to support this feature.
You might want to check out lucia-auth/lucia#1156.
This isn’t directly a security issue, but signing the session ID along with its expiration can help reduce unnecessary storage access.
When storing a UUID directly in a cookie, you can only validate the format.
With a signature, the server can verify whether the value was actually generated by the app — without hitting storage.
This could be a useful optimization, especially with usage-based storage services.