Session fixation might allow an attacker to reuse an existing session identifier in order to gain access to an authenticated session. Previous session IDs must be invalidated when authenticating new users.
1
2import express, { Express, Request, Response } from 'express'
3import passport from 'passport'
4var app: Express = express()
5function sessionFixationNoncompliant() {
6 app.post(
7 "/somepage",
8 passport.authenticate("local", { failureRedirect: "/somepage" }),
9 function (req: Request, res: Response) {
10 // Noncompliant: session.regenerate is absent.
11 res.redirect("/")
12 },
13 );
14}
1import express, { Express, Request, Response } from 'express'
2import passport from 'passport'
3var app: Express = express()
4function sessionFixationCompliant() {
5 app.post(
6 "/somepage",
7 passport.authenticate("local", { failureRedirect: "/somepage" }),
8 function (
9 req: { session: { regenerate: (arg0: (err: any) => void) => void } },
10 res: { redirect: (arg0: string) => void },
11 ) {
12 // Compliant: session.regenerate is used
13 req.session.regenerate((err: any) => {})
14 res.redirect("/404")
15 },
16 );
17}