Session fixation Critical

Session fixation might allow an attacker to reuse an existing session identifier in order to gain access to an authenticated session. Previous session IDs must be invalidated when authenticating new users.

Detector ID
typescript/session-fixation@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1
2import express, { Express, Request, Response } from 'express'
3import passport from 'passport'
4var app: Express = express()
5function sessionFixationNoncompliant() {
6  app.post(
7    "/somepage",
8    passport.authenticate("local", { failureRedirect: "/somepage" }),
9    function (req: Request, res: Response) {
10      // Noncompliant: session.regenerate is absent.
11      res.redirect("/")
12    },
13  );
14}

Compliant example

1import express, { Express, Request, Response } from 'express'
2import passport from 'passport'
3var app: Express = express()
4function sessionFixationCompliant() {
5  app.post(
6    "/somepage",
7    passport.authenticate("local", { failureRedirect: "/somepage" }),
8    function (
9      req: { session: { regenerate: (arg0: (err: any) => void) => void } },
10      res: { redirect: (arg0: string) => void },
11    ) {
12      // Compliant: session.regenerate is used
13      req.session.regenerate((err: any) => {})
14      res.redirect("/404")
15    },
16  );
17}