expressjs/session

Request: Option for refreshing the session ID

Open

#425 建立於 2017年2月9日

在 GitHub 查看
 (18 留言) (7 反應) (0 負責人)JavaScript (977 fork)batch import
help wanted

倉庫指標

Star
 (6,073 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 2 個 PR)

描述

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

  1. Refreshing session ID after authentication (to protect against session fixation attacks) https://www.owasp.org/index.php/Session_fixation https://github.com/jaredhanson/passport/issues/192
  2. Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

貢獻者指南