Request: Option for refreshing the session ID · expressjs/session#425

(18 comments) (7 reactions) (0 assignees)JavaScript (6,073 stars) (977 forks)batch import

help wanted

説明

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

Refreshing session ID after authentication (to protect against session fixation attacks) https://www.owasp.org/index.php/Session_fixation https://github.com/jaredhanson/passport/issues/192
Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

技術スタック: nodejsexpressjavascript
領域: backendsecurity
Issue 種別: feature
難度: 3
推定時間: half day
活動状況: stale
明確さ: clear
前提条件: Basic understanding of Express sessionsKnowledge of session fixation attacks
初心者向け度: 55
調査方針: Review the express session source code, specifically the session regeneration logic. Examine the linked OWASP article and the referenced passport issue. Investigate the comments for any proposed implementations or rejected approaches. The goal is to add an option to regenerate the session ID while preserving session data, without breaking existing behavior.