session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon koajs

`autoCommit = false` makes `ctx.session = null` not work for clearing cookies

Open vjpr opened this issue 7 years ago • 0 comments

Cookies are cleared by ContextSession#commit() if ContextSession#session is false.

For ContextSession#session to become false using the public api, you must use the setter ctx.session = null.

But, then when you want to run ctx.session.manuallyCommit(), the ctx.session getter returns null.

It works when autoCommit = true, because it runs ContextSession#commit() after all middleware has run, which will remove the session.

Security vulnerability is session fixation from session key re-use. Hackers steals cookie, user logs out, then logs back in, hacker still has access.

Workaround

const sessionContext = ctx.session._sessCtx
ctx.session = null
await sessionContext.commit()

@dead-horse Any chance getting a fix for this?

@galvez Maybe you can think of a way to do it, as you implemented autoCommit.

vjpr avatar Nov 09 '18 20:11 vjpr