Failure to abandon session¶
ID: js/session-fixation
Kind: problem
Security severity: 5
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-384
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Reusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.
Recommendation¶
Always use req.session.regenerate(...);
to start a new session when a user logs in or out.
Example¶
The following example shows the previous session being used after authentication. This would allow a previous user to use the new user’s account.
const express = require('express');
const session = require('express-session');
var bodyParser = require('body-parser')
const app = express();
app.use(bodyParser.urlencoded({ extended: false }))
app.use(session({
secret: 'keyboard cat'
}));
app.post('/login', function (req, res) {
// Check that username password matches
if (req.body.username === 'admin' && req.body.password === 'admin') {
req.session.authenticated = true;
res.redirect('/');
} else {
res.redirect('/login');
}
});
This code example solves the problem by not reusing the session, and instead calling req.session.regenerate()
to ensure that the session is not reused.
const express = require('express');
const session = require('express-session');
var bodyParser = require('body-parser')
const app = express();
app.use(bodyParser.urlencoded({ extended: false }))
app.use(session({
secret: 'keyboard cat'
}));
app.post('/login', function (req, res) {
// Check that username password matches
if (req.body.username === 'admin' && req.body.password === 'admin') {
req.session.regenerate(function (err) {
if (err) {
res.send('Error');
} else {
req.session.authenticated = true;
res.redirect('/');
}
});
} else {
res.redirect('/login');
}
});
References¶
OWASP: Session fixation
Stack Overflow: Creating a new session after authentication with Passport
jscrambler.com: Best practices for secure session management in Node
Common Weakness Enumeration: CWE-384.