TypeScript-Node-Starter icon indicating copy to clipboard operation
TypeScript-Node-Starter copied to clipboard

Published 20 hours ago verified publisher icon microsoft

[Security] Session fixation and CSRF

Open zxti opened this issue 5 years ago • 0 comments
trafficstars

It is important to reset the CSRF token when authenticating as a different user, see for instance to https://security.stackexchange.com/a/22936/17247. I may be missing something but it does not appear that this starter app resets the token accordingly.

Same thing with the session itself in general, on logout there is no resetting of the session. (I don't believe that passport's .logout() method does this for you.)

zxti avatar Apr 12 '20 23:04 zxti