diff --git a/src/client/ClientCredential.c b/src/client/ClientCredential.c
index dcdcf71..d96bcdc 100644
--- a/src/client/ClientCredential.c
+++ b/src/client/ClientCredential.c
@@ -32,14 +32,14 @@ Result(ClientCredential*) ClientCredential_create(str username, str password){
     StringBuilder_append_str(&sb, password);
     StringBuilder_append_str(&sb, username);
     Array(u8) password_and_username = str_castTo_Array(StringBuilder_getStr(&sb));
-    cred->aes_key = Array_alloc(u8, password_hash_size);
+    cred->aes_key = Array_alloc(u8, PASSWORD_HASH_SIZE);
     Defer(
         if(!success){
             free(cred->aes_key.data);
         }
     );
     // lvl 1 hash - is used as AES key for user data
-    hash_password(password_and_username, cred->aes_key.data, __passhash_lvl_iter);
+    hash_password(password_and_username, cred->aes_key.data, __PASSWORD_HASH_LVL_ITERATIONS);
 
     DecryptorAES_construct(&cred->user_data_aes_dec, cred->aes_key);
     EncryptorAES_construct(&cred->user_data_aes_enc, cred->aes_key);
diff --git a/src/client/ServerConnection.c b/src/client/ServerConnection.c
index 16cc892..c3daad0 100644
--- a/src/client/ServerConnection.c
+++ b/src/client/ServerConnection.c
@@ -6,6 +6,7 @@ void ServerConnection_close(ServerConnection* conn){
     socket_close(conn->system_socket);
     socket_close(conn->content_socket);
     RSA_destroyPublicKey(&conn->server_pk);
+    free(conn->session_key.data);
     free(conn);
 }
 
@@ -50,16 +51,23 @@ Result(ServerConnection*) ServerConnection_open(ClientCredential* client_credent
         if(!success)
             ServerConnection_close(conn);
     );
+
+    try_void(ServerLink_parse(server_link_cstr, &conn->server_end, &conn->server_pk));
     
+    conn->session_key = Array_alloc_size(__AES_SESSION_KEY_SIZE);
+    br_hmac_drbg_context key_rng = { .vtable = &br_hmac_drbg_vtable };
+    rng_init_sha256_seedFromTime(&key_rng.vtable);
+    br_hmac_drbg_generate(&key_rng, conn->session_key.data, conn->session_key.size);
+    // TODO: add more entropy to the key to prevent easy key cracking when attacker knows the time when connection request was sent to a server
+
     printf("connecting to server %s\n", server_link_cstr);
     try(conn->system_socket, i, socket_open_TCP());
     try_void(socket_connect(conn->system_socket, conn->server_end));
 
-    // send client public key to server
+    // send session key to server
     // request server info
     // show server info
     // save server info to user's db
-    // hash password more times
     // request log in
     // if not registered, request registration and then log in
 
diff --git a/src/client/client.c b/src/client/client.c
index 4151c3a..546b9ba 100644
--- a/src/client/client.c
+++ b/src/client/client.c
@@ -20,7 +20,8 @@ static const str farewell_art = STR(
     "\\(_,J J                          L l`,)/\n"
 );
 
-static ClientCredential* client_credential = NULL;
+static ClientCredential* _client_credential = NULL;
+static ServerConnection* _server_connection = NULL;
 
 static Result(void) commandExec(str command, bool* stop);
 
@@ -48,7 +49,7 @@ Result(void) client_run() {
     using_history();
 
     fputs(greeting_art.data, stdout);
-    try_void(askUserNameAndPassword(&client_credential));
+    try_void(askUserNameAndPassword(&_client_credential));
 
     char* command_input_prev = NULL;
     char* command_input_raw = NULL;
@@ -73,7 +74,8 @@ Result(void) client_run() {
         }
     }
 
-    ClientCredential_free(client_credential);
+    ClientCredential_free(_client_credential);
+    ServerConnection_close(_server_connection);
     Return RESULT_VOID;
 }
 
@@ -104,8 +106,8 @@ static Result(void) commandExec(str command, bool* stop){
         fgets(answer_buf, answer_buf_size, stdin);
         str new_server_link = str_from_cstr(answer_buf);
         str_trim(&new_server_link, true);
-        try(ServerConnection* conn, p, ServerConnection_open(client_credential, new_server_link.data));
-        // TODO: store server connection somewhere
+        ServerConnection_close(_server_connection);
+        try(_server_connection, p, ServerConnection_open(_client_credential, new_server_link.data));
     }
     else if(is_alias("c") || is_alias("connect")){
         // TODO: read saved servers from database
diff --git a/src/client/client.h b/src/client/client.h
index d0a9c8f..fb4211a 100644
--- a/src/client/client.h
+++ b/src/client/client.h
@@ -20,6 +20,7 @@ typedef struct ServerConnection {
     Socket content_socket;
     br_rsa_public_key server_pk;
     EncryptorRSA rsa_enc;
+    Array(u8) session_key;
     EncryptorAES session_aes_enc;
     DecryptorAES session_aes_dec;
 } ServerConnection;
diff --git a/src/cryptography/cryptography.h b/src/cryptography/cryptography.h
index 2fbc5df..1df31b9 100755
--- a/src/cryptography/cryptography.h
+++ b/src/cryptography/cryptography.h
@@ -13,12 +13,12 @@
 
 /// @brief hashes password multiple times using its own hash as salt 
 /// @param password some byte array 
-/// @param out_buffer u8[password_hash_size]
+/// @param out_buffer u8[PASSWORD_HASH_SIZE]
 /// @param iterations number of iterations
 void hash_password(Array(u8) password, u8* out_buffer, i32 iterations);
-#define password_hash_size 32
+#define PASSWORD_HASH_SIZE 32
 
-#define __passhash_lvl_iter 1e5
+#define __PASSWORD_HASH_LVL_ITERATIONS 1e5
 
 //////////////////////////////////////////////////////////////////////////////
 //                                  rng.c                                  //
@@ -38,6 +38,9 @@ void rng_init_sha256_seedFromTime(const br_prng_class** rng_vtable_ptr);
 //                                  AES.c                                   //
 //////////////////////////////////////////////////////////////////////////////
 
+#define __AES_SESSION_KEY_SIZE 32
+#define __AES_DB_KEY_SIZE 32
+
 typedef struct EncryptedBlockInfo {
     u8 padding_size;
     u32 _reserved;
@@ -87,7 +90,7 @@ void DecryptorAES_decrypt(DecryptorAES* ptr, Array(u8) src, Array(u8) dst, u32*
 //                                  RSA.c                                   //
 //////////////////////////////////////////////////////////////////////////////
 
-#define __rsa_key_size_default 3072
+#define __RSA_DEFAULT_KEY_SIZE 3072
 
 /// @brief generate random key pair based on system time
 /// @param key_size size of public key in bits (2048/3072/4096)
diff --git a/src/cryptography/hash.c b/src/cryptography/hash.c
index 8ce6879..3fc4069 100755
--- a/src/cryptography/hash.c
+++ b/src/cryptography/hash.c
@@ -3,7 +3,7 @@
 #include "assert.h"
 
 void hash_password(Array(u8) password, u8* out_buffer, i32 iterations){
-    assert(password_hash_size == br_sha256_SIZE);;
+    assert(PASSWORD_HASH_SIZE == br_sha256_SIZE);;
     memset(out_buffer, 0, br_sha256_SIZE);
     br_sha256_context sha256_ctx;
     br_sha256_init(&sha256_ctx);
@@ -11,7 +11,7 @@ void hash_password(Array(u8) password, u8* out_buffer, i32 iterations){
     for(i32 i = 0; i < iterations; i++){
         br_sha256_update(&sha256_ctx, password.data, password.size);
         br_sha256_out(&sha256_ctx, out_buffer);
-        br_sha256_update(&sha256_ctx, out_buffer, password_hash_size);
+        br_sha256_update(&sha256_ctx, out_buffer, PASSWORD_HASH_SIZE);
     }
     br_sha256_out(&sha256_ctx, out_buffer);
 }