Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session Identifier Stored in Cookie during Logout #84

Open
tianjk99 opened this issue Dec 4, 2023 · 0 comments
Open

Session Identifier Stored in Cookie during Logout #84

tianjk99 opened this issue Dec 4, 2023 · 0 comments

Comments

@tianjk99
Copy link

tianjk99 commented Dec 4, 2023

Please check if there is any problem.
The code in the file "user.js" at the path "innovate-digital-bank/portal/routes" includes a logout endpoint ("/endpoints/logout") that stores the session identifier (sid) in a cookie during the logout process. While this approach may not pose an immediate security risk, it is important to address potential vulnerabilities and follow security best practices.
res.cookie("connect.sid", "", {expires: new Date()});
Currently, the code clears the "connect.sid" cookie and destroys the session. However, it does not generate a new session identifier after the logout, which could leave the application vulnerable to session fixation attacks. In a session fixation attack, an attacker could obtain the session identifier before the session is destroyed and use it to impersonate the user.
It is advisable to implement secure cookie options by setting the "Secure" flag to true to ensure the cookie is only transmitted over HTTPS, and the "HttpOnly" flag to true to prevent client-side script access to the cookie.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant