Jackdaw's Nest

Fixing Session Fixation

August 25, 2023

I just ran into a Fixing Session Fixation problem with Passport in a NodeJS app.

I ran into this because the app started returning thir error whn logging out:

Error: req#logout requires a callback function

It turned out that there was a good reason for this breaking change, and that's session fixation.

Luckily, this was an easy fix for the app and security is improved. This is also in line with best practices recommended by OWASP.

Just out of curiosity, I had to check how Symfony (my framework of choice) handles this. To be honest, I hadn't really thought about this issue until now. It looks like you can configure this behaviour in Symfony and updating session ID's to prevent this problem is enabled by default.