Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-21 07:50:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: roll session identifier on login, as security best practice

Browse Source 
see: https://owasp.org/www-community/attacks/Session_fixation
This commit is contained in:
Julian Lam
2021-04-13 21:32:16 -04:00
parent e845c34b52
commit 697ed3bf37
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/controllers/authentication.js
View File

@@ -326,6 +326,9 @@ authenticationController.doLogin = async function (req, uid) {
return; return;
} }
const loginAsync = util.promisify(req.login).bind(req); const loginAsync = util.promisify(req.login).bind(req);
const regenerateSession = util.promisify(req.session.regenerate).bind(req.session);
await regenerateSession();
await loginAsync({ uid: uid }); await loginAsync({ uid: uid });
await authenticationController.onSuccessfulLogin(req, uid); await authenticationController.onSuccessfulLogin(req, uid);
}; };