`autoCommit = false` makes `ctx.session = null` not work for clearing cookies
vjpr opened this issue · comments
Cookies are cleared by ContextSession#commit()
if ContextSession#session
is false
.
For ContextSession#session
to become false
using the public api, you must use the setter ctx.session = null
.
But, then when you want to run ctx.session.manuallyCommit()
, the ctx.session
getter returns null
.
It works when autoCommit = true
, because it runs ContextSession#commit()
after all middleware has run, which will remove the session.
Security vulnerability is session fixation from session key re-use. Hackers steals cookie, user logs out, then logs back in, hacker still has access.
Workaround
const sessionContext = ctx.session._sessCtx
ctx.session = null
await sessionContext.commit()
@dead-horse Any chance getting a fix for this?
@galvez Maybe you can think of a way to do it, as you implemented autoCommit
.