From 7fd29b18a806473fcd2cfc63fdd3bc870f30551d Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Wed, 1 Jul 2015 12:08:57 +0100 Subject: [PATCH] destroy users session before creating a new one for them after login session changed to prevent against fixation attacks --- .../Features/Authentication/AuthenticationController.coffee | 1 + .../Authentication/AuthenticationControllerTests.coffee | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee index 5b934e4f25..c992fec578 100644 --- a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee +++ b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee @@ -154,6 +154,7 @@ module.exports = AuthenticationController = # Regenerate the session to get a new sessionID (cookie value) to # protect against session fixation attacks oldSession = req.session + req.session.destroy() req.sessionStore.generate(req) for key, value of oldSession req.session[key] = value diff --git a/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee b/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee index 485aeba475..10d0e87b12 100644 --- a/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee @@ -423,6 +423,7 @@ describe "AuthenticationController", -> beforeEach -> @req.session = save: sinon.stub().callsArg(0) + destroy : sinon.stub() @req.sessionStore = generate: sinon.stub() @AuthenticationController.establishUserSession @req, @user, @callback @@ -435,6 +436,9 @@ describe "AuthenticationController", -> @req.session.user.referal_id.should.equal @user.referal_id @req.session.user.isAdmin.should.equal @user.isAdmin + it "should destroy the session", -> + @req.session.destroy.called.should.equal true + it "should regenerate the session to protect against session fixation", -> @req.sessionStore.generate.calledWith(@req).should.equal true