Session fixation attack prevention
sylc opened this issue · comments
I cannot see any mechanism to rotate the session key in order to prevent session fixation attack when using this library for authentication
I would like to be able to rotate the session key during a successful login. Maybe something like
// email/password validation code...
ctx.state.session.rotate()
ctx.state.session.set("userId", "....");
return new Response...
@sylc
I totally agree.
I believe this is a necessary implementation.
If you are not into specific development.
I would try to have it ready within a month.
I am trying to figure out how to make it work safely (and actually error avoidance) for cookie sessions that use jwt.
I would be grateful if you would allow me to request a review if you like.