Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it’s a
good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the
attacker).
Noncompliant Code Example
For Passport.js:
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login' }),
function(req, res) {
// Sensitive - no session.regenerate after login
res.redirect('/');
});
Compliant Solution
For Passport.js:
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login' }),
function(req, res) {
let prevSession = req.session;
req.session.regenerate((err) => { // Compliant
Object.assign(req.session, prevSession);
res.redirect('/');
});
});
See
