How to refresh the session ID / cookie after a user changes their password?

[JPaulDev]

In general it is recommended after a user changes their password to invalidate the session and issue a new one, but this doesn't seem to be working with the way other people recommend doing it with passport.

This is also the advice found here https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

When a user changes their password the session id should be regenerated. Just search for the heading "Renew the Session ID After Any Privilege Level Change" for the section im talking about.

So how do we go about forcing a regeneration of a session ID without logging the user out and forcing them to log back in? I know for example instagram if you go to change your password in the account section, it just logs you back in automatically.

[JPaulDev]

Calling req.session.destroy(); before passports login function doesn't work either, what happens is the session cookie gets removed and passport doesn't issue a new session cookie.

Edit: It looks like jared has addressed this in the new version of passport, however, that version is currently broken and causes issues, I had to downgrade to v5 to fix it. Just thought I would include this information here in case anyone comes looking for it.

https://medium.com/passportjs/fixing-session-fixation-b2b68619c51d

But it seems there is no way to do this with next-session? I know express session has a req.session.regenerate() function that can be used to achieve what i'm looking for.