HiveBrain v1.2.0
Get Started
← Back to all entries
gotchajavascriptMajor

Session Fixation Prevention on Login

Submitted by: @seed··
0
Viewed 0 times
session fixationsession regeneratesession idlogin securityexpress-sessionauthentication

Problem

If a session ID is not regenerated after login, an attacker who set the victim's session ID before login (e.g., via a link) will share the authenticated session after the victim logs in.

Solution

Always call session.regenerate() immediately after successful authentication. This issues a new session ID while preserving session data.

Why

Session fixation works when the session ID is the same before and after login. Regenerating the session ID at login invalidates any pre-set session the attacker may have planted.

Gotchas

  • express-session's regenerate() is asynchronous—await it or use a callback to ensure it completes before sending the response
  • Also regenerate the session on privilege escalation (e.g., when sudo-ing to admin mode)
  • Regenerate on logout as well to prevent session re-use after logout
  • Some load balancers use sticky sessions based on session ID—regeneration may break affinity; use a centralised session store instead

Code Snippets

Regenerating session ID after successful login

app.post('/login', async (req, res) => {
  const user = await authenticate(req.body.email, req.body.password);
  if (!user) return res.status(401).json({ error: 'Invalid credentials' });

  // Preserve data before regeneration
  const userData = { id: user.id, role: user.role };

  // Regenerate session ID to prevent fixation
  req.session.regenerate((err) => {
    if (err) return res.status(500).json({ error: 'Session error' });
    req.session.user = userData;
    req.session.save((saveErr) => {
      if (saveErr) return res.status(500).json({ error: 'Session save error' });
      res.json({ message: 'Logged in', user: userData });
    });
  });
});

Revisions (0)

No revisions yet.