expressjs/session

Request: Option for refreshing the session ID

Open

#425 aberto em 9 de fev. de 2017

Ver no GitHub
 (18 comments) (7 reactions) (0 assignees)JavaScript (977 forks)batch import
help wanted

Métricas do repositório

Stars
 (6.073 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (2 fundiu PRs em 30d)

Description

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

  1. Refreshing session ID after authentication (to protect against session fixation attacks) https://www.owasp.org/index.php/Session_fixation https://github.com/jaredhanson/passport/issues/192
  2. Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

Guia do colaborador