rondomoon/rondo-framework
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add session-hijacking prevention to TODO.md

Browse Source
This commit is contained in:
Jerko Steiner 2019-11-01 13:23:36 -04:00
parent 8aa03e927e
commit c82967012b
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
TODO.md
View File

@ -9,6 +9,7 @@
- [ ] Fix React SSR error handling - [ ] Fix React SSR error handling
- [ ] Add React error boundaries - [ ] Add React error boundaries
- [x] Use strings as ids for big decimals TODO verify - [x] Use strings as ids for big decimals TODO verify
- [ ] Regenerate session id after logging in to prevent session hijacking
- [ ] Social logins - [ ] Social logins
- [ ] GitHub - [ ] GitHub

11
packages/server/src/routes/configureAuthRoutes.ts
View File

@ -27,6 +27,17 @@ export function configureAuthRoutes(
return return
} }
await req.logInPromise(user) await req.logInPromise(user)
// TODO regenerate session - prevent session hijacking
//
// Something like:
// var temp = req.session.passport; // {user: 1}
// req.session.regenerate(function(err){
// //req.session.passport is now undefined
// req.session.passport = temp;
// req.session.save(function(err){
// res.send(200);
// });
// });
return user return user
}) })