Cookie changes "revalidate" and "update" are creating new session id every time

Question

Cookie changes "revalidate" and "update" are creating new session id every time

Closed this issue 2 years ago · 8 comments

Hi all,
please note that this might not be a bug. I've been searching for some best-practices and it's not so easy, so I'm asking here too.

This line:

https://github.com/julianlam/nodebb-plugin-session-sharing/blob/master/library.js#L430

gets executed every time when the "session handling" -> "cookie changes" is set to either "revalidate" or "update". One of the things that's happening is that the user get's a new session with a new sessionId. This is causing us some performance issues.

I wonder if the logic here could change so that if there is no need for new session, it's not created?

julianlam commented 2 years ago

v7.1.0

Answer 1 · 2023-02-03T14:51:16.000Z

My gut reaction was this was related to session reroll.

Wasn't this fixed by your PR NodeBB/NodeBB#11255?

Answer 2 · 2023-02-03T15:11:10.000Z

I'm sorry, it seems like the mentioned fix did only half the job.

Passport login function will now always regenerate the session in the logIn function: https://github.com/jaredhanson/passport/blob/master/lib/sessionmanager.js#L28

The parameter keepSessionInfo merges the old data into the new session: https://github.com/jaredhanson/passport/blob/master/lib/sessionmanager.js#L37

Answer 3 · 2023-02-10T22:09:00.000Z

Oh yes, that is true. A new session is created regardless, with a new id.

Unfortunately I don't think that is something we can counteract, as it is has always been handled by Passport...

Answer 4 · 2023-02-10T22:11:42.000Z

I think at the end of the day, the fact that a new session is created is quite intentional in order to counter session fixation attacks. I cannot advise as to how commonplace session fixation attacks are, although it is definitely considered a vulnerability.

Answer 5 · 2023-02-10T22:15:40.000Z

Hm, it could be that .doLogin need not be called on revalidate/update, since you're technically already logged in...

I will take a closer look...

Answer 6 · 2023-02-15T16:30:18.000Z

I don't have much time this week, sorry for the delay.

it could be that .doLogin need not be called on revalidate/update, since you're technically already logged in

Yes I agree. I think the best way would be to mix up hasSession and loginLock so that it works just like revalidate/update behaviour are defined.

Answer 7 · 2023-02-15T22:14:09.000Z

It seems to work fine — insofar as my limited testing and running of the test suite seems to tell me.

If you have revalidate/update set, it will return early after validating the cookie and ensuring that the uid matches.