gotchajavascriptMajor
Session Fixation Prevention on Login
Viewed 0 times
session fixationsession regeneratesession idlogin securityexpress-sessionauthentication
Problem
If a session ID is not regenerated after login, an attacker who set the victim's session ID before login (e.g., via a link) will share the authenticated session after the victim logs in.
Solution
Always call session.regenerate() immediately after successful authentication. This issues a new session ID while preserving session data.
Why
Session fixation works when the session ID is the same before and after login. Regenerating the session ID at login invalidates any pre-set session the attacker may have planted.
Gotchas
- express-session's regenerate() is asynchronous—await it or use a callback to ensure it completes before sending the response
- Also regenerate the session on privilege escalation (e.g., when sudo-ing to admin mode)
- Regenerate on logout as well to prevent session re-use after logout
- Some load balancers use sticky sessions based on session ID—regeneration may break affinity; use a centralised session store instead
Code Snippets
Regenerating session ID after successful login
app.post('/login', async (req, res) => {
const user = await authenticate(req.body.email, req.body.password);
if (!user) return res.status(401).json({ error: 'Invalid credentials' });
// Preserve data before regeneration
const userData = { id: user.id, role: user.role };
// Regenerate session ID to prevent fixation
req.session.regenerate((err) => {
if (err) return res.status(500).json({ error: 'Session error' });
req.session.user = userData;
req.session.save((saveErr) => {
if (saveErr) return res.status(500).json({ error: 'Session save error' });
res.json({ message: 'Logged in', user: userData });
});
});
});Revisions (0)
No revisions yet.