Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing session fixation vulnerabilities in default application #88

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

lavish
Copy link

@lavish lavish commented Jul 21, 2022

This patch regenerates the session identifier on login/signup, fixing session fixation vulnerabilities in the default application. Furthermore, the proposed change prevents CSRF fixation attacks by forcing the recreation of the csrfSecret session field.

Notice that the session.regenerate(callback) method creates a new Session instance, removing all existing attributes from the session. To preserve specific session values between unauthenticated and authenticated states it would be possible to define a configurable allow-list of attributes that should be copied from the old session into the new one.

We also urge the maintainers to update the official Sails documentation and incorporate the proposed authentication patterns to avoid session fixation vulnerabilities.

This PR was submitted as requested by the project maintainers after private conversation.

…prevent session fixation attacks. Furthermore, it prevents CSRF fixation attacks by forcing the recreation of the csrfSecret session field
@lavish lavish marked this pull request as ready for review July 21, 2022 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant