Request: Option for refreshing the session ID

[gk0us]

Sometimes, there is the need to refresh the session ID without loosing the session data.

Examples:

1. Refreshing session ID after authentication (to protect against session fixation attacks)
   https://www.owasp.org/index.php/Session_fixation
   session fixation attack jaredhanson/passport#192
2. Manually refreshing session ID before it expires (e.g. if the user wants to keep working after the maximum session lifetime, but we do not want the same session ID to be used)

[dougwilson]

I don't see any particular reason something like this cannot be added here. Perhaps as an option to the current req.session.regenerate (like {copy: true}?).

[gk0us]

I cannot see any reason why not, either. The {copy:true} option is an efficient solution.

[joh-klein]

I quite like how the did it in PHP (I know, the horror): http://php.net/manual/en/function.session-regenerate-id.php

default is to keep the old session data

[joh-klein]

How would you go about it? Just copy the whole req.session to temp and then back again?

[gk0us]

@joh-klein, I am not sure if this will work, since the old session.id will be copied back too. Correct me if I am wrong.

I've found this stack exchange solution but I was not able to figure it out.
http://stackoverflow.com/a/30468384

[joh-klein]

If I understand this correctly, id is not actually part of the session object, which correlates with my experience when I console.log(req.session)

[dougwilson]

Hi @joh-klein req.session.id is indeed a thing, it's just the id property is not enumerable, so console.log just doesn't show it by default.

[joh-klein]

@dougwilson , thanks for the clarification. So far, this has worked for me:

let tempSession = req.session;

req.session.regenerate((err) => {
  Object.assign(req.session, tempSession);
  res.redirect('/');
});

I have thought about deleting tempSession.cookie since in my case I am also fine with a session restart.

[gk0us]

Great idea @joh-klein using the Object.assign() function. I wasn't familiar with it. Since it only copies the enumerable properties of the session object, it does not mess with the refreshed session.id .

I have thought about deleting tempSession.cookie since in my case I am also fine with a session restart.

Can you elaborate on that? If I understand correctly, the req.session.cookie object is used to set the attributes of the cookie for the current request (e.g. path, expires, maxAge etc.).

1. Why will the session restart if deleting this?
2. If you really want to restart the session, why don't you just regenerate the (authenticated) session and pass the old passport object (assuming that you are using passport).

[joh-klein]

Thanks. Yes, Object.assign() works quite well. Especially in this case.

Can you elaborate on that? If I understand correctly, the req.session.cookie object is used to set the attributes of the cookie for the current request (e.g. path, expires, maxAge etc.).

Well, my thought was, that if I copied the old cookie properties over to the new session it would use the previous settings for expires. So with restart I meant that the expiry date would be reset. But to be honest, I haven't tested that part since I am neither setting maxAge nor expires.

[gk0us]

It seems that there is no need to remove the cookie. The cookie.expires value is refreshed because of redirect(). I guess that it's the session.touch() function's doing.

Edit: Misclicked and closed the issue. Reopened.