0

I'm using node/express.js with cookie-session in my application.

Currently, when a user logs in a cookie is stored in their browser with a value, for example: session: ABC123. If the user logs out, the cookie is deleted. When the user logs back in, the same cookie and value are stored in the browser session: ABC123.

enter image description here

I am getting the same session user_sid whenever i login.

i want to randomize the session user_sid every time the user logs in.

Sajjan Karn
  • 50
  • 1
  • 7

2 Answers2

2

There is no notion of a session id with the cookie-session package.

In the typical scenario where the session data is stored on the server, a session id is generated that maps to a given user session data. This is this session id that is kept in the session cookie.

With the cookie-session package however, the session data itself is stored in the cookie - as opposed to on the server -, so there is no need for such a mapping or a session id at all. So in effect and unless the session data is actually updated from one session to another, the session cookie will be the same.

IAmDranged
  • 2,890
  • 1
  • 12
  • 6
1

You want to call session.regenerate() when the user successfully login, that will do what you want and also address session fixation attack

zebullon
  • 191
  • 3
  • 10
  • btw i am not using express-session in my app. I am using cookie-session. Is there any way to regenerate session in cookie-session ? – Sajjan Karn May 03 '21 at 03:55
  • Sorry I assumed you were also using express-session. With bare cookie-session, then no straightforward way that I know of :/ – zebullon May 03 '21 at 07:42