From c82967012b394f10e6a58c260a70821895a76aef Mon Sep 17 00:00:00 2001
From: Jerko Steiner <jerko.steiner@gmail.com>
Date: Fri, 1 Nov 2019 13:23:36 -0400
Subject: [PATCH] Add session-hijacking prevention to TODO.md

---
 TODO.md                                           |  1 +
 packages/server/src/routes/configureAuthRoutes.ts | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/TODO.md b/TODO.md
index 065d93f..7e9d4dd 100644
--- a/TODO.md
+++ b/TODO.md
@@ -9,6 +9,7 @@
 - [ ] Fix React SSR error handling
 - [ ] Add React error boundaries
 - [x] Use strings as ids for big decimals TODO verify
+- [ ] Regenerate session id after logging in to prevent session hijacking
 
 - [ ] Social logins
   - [ ] GitHub
diff --git a/packages/server/src/routes/configureAuthRoutes.ts b/packages/server/src/routes/configureAuthRoutes.ts
index bad2fbb..da07c46 100644
--- a/packages/server/src/routes/configureAuthRoutes.ts
+++ b/packages/server/src/routes/configureAuthRoutes.ts
@@ -27,6 +27,17 @@ export function configureAuthRoutes(
       return
     }
     await req.logInPromise(user)
+    // TODO regenerate session - prevent session hijacking
+    //
+    // Something like:
+    //     var temp = req.session.passport; // {user: 1}
+    //     req.session.regenerate(function(err){
+    //         //req.session.passport is now undefined
+    //         req.session.passport = temp;
+    //         req.session.save(function(err){
+    //             res.send(200);
+    //         });
+    //     });
     return user
   })