I'm using a Node.js server and I'm developing with the Connect framework. I'm trying to regenerate SIDs after a given interval to avoid session fixation. There's a method called req.session.regenerate which, according to the docs, should do just that.
« To regenerate the session simply invoke the method, once plete a new SID and Session instance will be initialized at req.session »
Example code:
req.session.regenerate(function(err){
// will have a new session here
});
After calling the above method, I check the value of req.sessionID, only to find that the value is the same as before.
If I try to get the sessionID from within req.session.regenerate and write it to the terminal I get a new SID, which is even more perplexing ~ I.E why would you want the SID generated only within the scope of the callback? If I assign the value to a global variable, it's value is undefined.
I've a feeling that it's something really obvious that I'm overlooking.
Any help is appreciated.
I'm using a Node.js server and I'm developing with the Connect framework. I'm trying to regenerate SIDs after a given interval to avoid session fixation. There's a method called req.session.regenerate which, according to the docs, should do just that.
« To regenerate the session simply invoke the method, once plete a new SID and Session instance will be initialized at req.session »
Example code:
req.session.regenerate(function(err){
// will have a new session here
});
After calling the above method, I check the value of req.sessionID, only to find that the value is the same as before.
If I try to get the sessionID from within req.session.regenerate and write it to the terminal I get a new SID, which is even more perplexing ~ I.E why would you want the SID generated only within the scope of the callback? If I assign the value to a global variable, it's value is undefined.
I've a feeling that it's something really obvious that I'm overlooking.
Any help is appreciated.
Share Improve this question edited May 25, 2023 at 16:08 aynber 23k9 gold badges54 silver badges68 bronze badges asked Mar 10, 2011 at 20:15 J. Michael WilsonJ. Michael Wilson 5045 silver badges5 bronze badges 3-
1
Where/when are you checking
req.sessionID? Maybe the code you're checking with is actually checking before the regenerate function runs. – Chris W. Commented Mar 10, 2011 at 22:13 - I've been checking in a few places. Before, from within, and after regenerate to pare the values. I use console.log to send the value of req.session.id to the terminal. And there's no difference in them. – J. Michael Wilson Commented Mar 11, 2011 at 3:21
- did you fix this ? I'm having another slightly different issue : stackoverflow./questions/5646905/… – Lewis Commented Apr 13, 2011 at 10:24
2 Answers
Reset to default 3Just send the response back in the callback of the regenerate function. Since the session regeneration is async, when you return to the client it will still have the older session.
req.session.regenerate(function(err) {
req.session.myid = "myvalue";
res.simpleJSON(200, status);
});
In all likelihood your problem is related to this issue:
https://github./senchalabs/connect/pull/263
In any case, the behavior you describe is exactly the same as reported in the issue.