[keyserver] Stop using bcrypt for session validation in new cookies
Summary:
Today about 50% of our keyserver CPU is used on session validation via bcrypt. This is very silly.
bcrypt is designed to be very CPU-expensive on purpose. It's designed that way to protect against dictionary attacks.
That sort of protection is absolutely unnecessary for our cookiePasswords, which are 32 random bytes. There is no dictionary attack against random strings.
To save CPU, while preserving the property that somebody with the MariaDB database can't forge a cookie, this diff moves us to store a simple sha256 hash in the database instead of a bcrypt hash.
Test Plan:
- Make sure existing cookies still work by refreshing the web app in my local environment
- Create a new cookie by logging out and back in on web in my local environment. Refresh the page to make sure things still work
Reviewers: atul, tomek
Reviewed By: tomek
Subscribers: wyilio
Differential Revision: https://phab.comm.dev/D9546