Add feature of regeneration for #34

[palmtale]

Add feature of regeneration for #34

[coveralls]

Coverage remained the same at 100.0% when pulling dcede0c23b2b434ce03d30b3a7d307f0977fe384 on so-glad:feature/regeneration into 777c8e836d74ea12f810c104eb4bbc61d2586365 on koajs:master.

[palmtale]

Just await ctx.regenerateSession() to regen a new session. I've tested in an env of Mac koa^2.2.0 with redis store and cookie store. But not write any new code of test module

[dead-horse]

can't we just use ctx.session = {} instead of regeneration ?

[palmtale]

@dead-horse No, no, no, no, no. 1st, In real effect, I've tested, it's not OK, did not do regeneration, just clean the store of the correspond user session key, because of the set() function using this.create(val, externalKey) .

2nd, In the semantics, ctx.session={}, as well as set(), did correct logic. But what we want to do in 'regeneration', is to regenerate a new session key/code, for avoiding hack attack.

[dead-horse]

@palmtale need to add test cases for this feature

[coveralls]

Coverage remained the same at 100.0% when pulling 919968a19436ccbefc36dfd05599b6939eab3fb8 on so-glad:feature/regeneration into 777c8e836d74ea12f810c104eb4bbc61d2586365 on koajs:master.

[palmtale]

@dead-horse How about this, set signal _requireRegenerate in session, and do it in commit as the same as save. And also added the same test module in cookie and external store. Actually, it's not required to clear the content of session, if really need, use ctx.session={};

[smh]

@dead-horse Any hope of getting this merged? As it is now, we cannot use this module as we need a way to regenerate the session key when we authenticate the user. As @palmtale says, setting ctx.session = {} will empty the session, but the session key remains the same, and this leaves us open to session fixation attacks.

[lehni]

Would be great to see this merged, also due to https://github.com/jaredhanson/passport/issues/907