This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
[Security] Session fixation and CSRF #279
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
It is important to reset the CSRF token when authenticating as a different user, see for instance to https://security.stackexchange.com/a/22936/17247. I may be missing something but it does not appear that this starter app resets the token accordingly.
Same thing with the session itself in general, on logout there is no resetting of the session. (I don't believe that passport's .logout() method does this for you.)
The text was updated successfully, but these errors were encountered: