expressjs/session

Request: Option for refreshing the session ID

Open

Aperta il 9 feb 2017

Vedi su GitHub
 (18 commenti) (7 reazioni) (0 assegnatari)JavaScript (6073 star) (977 fork)batch import
help wanted

Descrizione

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

  1. Refreshing session ID after authentication (to protect against session fixation attacks) https://www.owasp.org/index.php/Session_fixation https://github.com/jaredhanson/passport/issues/192
  2. Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

Guida contributor

Tech stack
nodejsexpressjavascript
Dominio
backendsecurity
Tipo issue
feature
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
half day
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
stale
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
clear
Prerequisiti
Basic understanding of Express sessionsKnowledge of session fixation attacks
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
55
Direzione di ricerca
Review the express session source code, specifically the session regeneration logic. Examine the linked OWASP article and the referenced passport issue. Investigate the comments for any proposed implementations or rejected approaches. The goal is to add an option to regenerate the session ID while preserving session data, without breaking existing behavior.