Session fixation attack prevention

Question

Session fixation attack prevention

sylc opened this issue a year ago · comments

I cannot see any mechanism to rotate the session key in order to prevent session fixation attack when using this library for authentication

I would like to be able to rotate the session key during a successful login. Maybe something like

// email/password validation code...
ctx.state.session.rotate() 
ctx.state.session.set("userId", "....");
return new Response...

Octo8080X · Answer 1 · Sun Jun 18 2023 23:45:11 GMT+0800 (China Standard Time)

@sylc
I totally agree.
I believe this is a necessary implementation.

If you are not into specific development.
I would try to have it ready within a month.
I am trying to figure out how to make it work safely (and actually error avoidance) for cookie sessions that use jwt.
I would be grateful if you would allow me to request a review if you like.

Octo8080X · Answer 2 · Wed Jun 21 2023 01:04:47 GMT+0800 (China Standard Time)

@sylc

I implemented one that rotates session keys. We hope you will give it a try.
#25