Sometimes, there is the need to refresh the session ID without loosing the session data.
Examples:
I don't see any particular reason something like this cannot be added here. Perhaps as an option to the current req.session.regenerate (like {copy: true}?).
I cannot see any reason why not, either. The {copy:true} option is an efficient solution.
I quite like how the did it in PHP (I know, the horror): http://php.net/manual/en/function.session-regenerate-id.php
default is to keep the old session data
How would you go about it? Just copy the whole req.session to temp and then back again?
@joh-klein, I am not sure if this will work, since the old session.id will be copied back too. Correct me if I am wrong.
I've found this stack exchange solution but I was not able to figure it out.
http://stackoverflow.com/a/30468384
If I understand this correctly, id is not actually part of the session object, which correlates with my experience when I console.log(req.session)
Hi @joh-klein req.session.id is indeed a thing, it's just the id property is not enumerable, so console.log just doesn't show it by default.
@dougwilson , thanks for the clarification. So far, this has worked for me:
let tempSession = req.session;
req.session.regenerate((err) => {
Object.assign(req.session, tempSession);
res.redirect('/');
});
I have thought about deleting tempSession.cookie since in my case I am also fine with a session restart.
Great idea @joh-klein using the Object.assign() function. I wasn't familiar with it. Since it only copies the enumerable properties of the session object, it does not mess with the refreshed session.id .
I have thought about deleting tempSession.cookie since in my case I am also fine with a session restart.
Can you elaborate on that? If I understand correctly, the req.session.cookie object is used to set the attributes of the cookie for the current request (e.g. path, expires, maxAge etc.).
Thanks. Yes, Object.assign() works quite well. Especially in this case.
Can you elaborate on that? If I understand correctly, the req.session.cookie object is used to set the attributes of the cookie for the current request (e.g. path, expires, maxAge etc.).
Well, my thought was, that if I copied the old cookie properties over to the new session it would use the previous settings for expires. So with restart I meant that the expiry date would be reset. But to be honest, I haven't tested that part since I am neither setting maxAge nor expires.
It seems that there is no need to remove the cookie. The cookie.expires value is refreshed because of redirect(). I guess that it's the session.touch() function's doing.
Edit: Misclicked and closed the issue. Reopened.
Please add this feature!
bump!
I made a fix for it as an express middleware. It's on npm here:
https://www.npmjs.com/package/express-session-fixation
@Flame2057 were is the corresponding github repo?
@joh-klein There is none. Why?
As i am using multiple strategies of passport @jaredhanson ,so do i need to write below method (new session id generation) for every login method of strategies used or is there any other option?
passport.authenticate('local', function (err, user, info) {
if (err || !user) {
res.status(400).send(info);
} else
{
req.login(user, function (err){
if (err) res.status(400).send(err);
else
{
req.session.regenerate(function(err)
{
if (err) console.log(err);
else{
//logic for new session regeneration
//reset the cookie header with new session id
//return the user object
}
})
}
})
}
}
The referenced issue is still under review, is there any plan on supporting this?
@omarryhan if that was stated this would have been treated different. Please follow http://expressjs.com/en/resources/contributing.html#security-policies-and-procedures to surface these types of issues.
Please contact us with your report though the appropriate channel so we can assess it. I have deleted your post for now as part of our policy and added a temporary interaction limit in the hopes you will reach out in the appropriate way regarding this, thank you.
Most helpful comment
I don't see any particular reason something like this cannot be added here. Perhaps as an option to the current
req.session.regenerate(like{copy: true}?).