expressjs/session

Request: Option for refreshing the session ID

Open

#425 opened on Feb 9, 2017

View on GitHub
 (18 comments) (7 reactions) (0 assignees)JavaScript (6,073 stars) (977 forks)batch import
help wanted

Description

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

  1. Refreshing session ID after authentication (to protect against session fixation attacks) https://www.owasp.org/index.php/Session_fixation https://github.com/jaredhanson/passport/issues/192
  2. Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

Contributor guide

Tech stack
nodejsexpressjavascript
Domain
backendsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic understanding of Express sessionsKnowledge of session fixation attacks
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
Review the express session source code, specifically the session regeneration logic. Examine the linked OWASP article and the referenced passport issue. Investigate the comments for any proposed implementations or rejected approaches. The goal is to add an option to regenerate the session ID while preserving session data, without breaking existing behavior.