Re-create the Session When the User Logs In
Many web applications create a session even when the user isnât authenticated to track the user for marketing or other related reasons. These applications often make the mistake of escalating a non-authenticated session to an authenticated session by setting flags on the Session object. This isnât a secure approach because it leaves open the possibility for session-fixation attacks.
In session-fixation attacks, the attackers set the targetâs sessionID, and once the session is authenticated, they use that knowledge to hijack the session. This is why you should regenerate the sessionID every time session privileges are escalated.
You can do that by extending the express Session objectâs login ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.