Session fixation Critical

Session fixation might allow an attacker to reuse an existing session identifier in order to gain access to an authenticated session. Previous session IDs must be invalidated when authenticating new users.

Detector ID
jsx/session-fixation@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1var express = require('express')
2var passport = require('passport')
3var app = express()
4function sessionFixationNoncompliant() {
5    app.post('/somepage',
6        passport.authenticate('local', { failureRedirect: '/somepage' }),
7        function(req, res) {
8            // Noncompliant: session.regenerate is absent.
9            res.redirect('/')
10        })
11}

Compliant example

1var express = require('express')
2var passport = require('passport')
3var app = express()
4function sessionFixationCompliant() {
5    app.post('/somepage',
6        passport.authenticate('local', { failureRedirect: '/somepage' }),
7        function(req, res) {
8            // Compliant: session.regenerate is used
9            req.session.regenerate((err) => {
10            })
11            res.redirect('/404')
12        })
13}