Failure to abandon session — CodeQL query help documentation
ID: js/session-fixation Kind: problem Security severity: 5 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-384 Query suites: - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Reusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.
Recommendation¶
Always use req.session.regenerate(...); to start a new session when a user logs in or out.
Example¶
The following example shows the previous session being used after authentication. This would allow a previous user to use the new user’s account.
const express = require('express'); const session = require('express-session'); var bodyParser = require('body-parser') const app = express(); app.use(bodyParser.urlencoded({ extended: false })) app.use(session({ secret: 'keyboard cat' })); app.post('/login', function (req, res) { // Check that username password matches if (req.body.username === 'admin' && req.body.password === 'admin') { req.session.authenticated = true; res.redirect('/'); } else { res.redirect('/login'); } });
This code example solves the problem by not reusing the session, and instead calling req.session.regenerate() to ensure that the session is not reused.
const express = require('express'); const session = require('express-session'); var bodyParser = require('body-parser') const app = express(); app.use(bodyParser.urlencoded({ extended: false })) app.use(session({ secret: 'keyboard cat' })); app.post('/login', function (req, res) { // Check that username password matches if (req.body.username === 'admin' && req.body.password === 'admin') { req.session.regenerate(function (err) { if (err) { res.send('Error'); } else { req.session.authenticated = true; res.redirect('/'); } }); } else { res.redirect('/login'); } });
References¶
OWASP: Session fixation
Stack Overflow: Creating a new session after authentication with Passport
jscrambler.com: Best practices for secure session management in Node
Common Weakness Enumeration: CWE-384.