bo/worklenz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): improve session regeneration and response handling in login process

Browse Source 
- Enhanced session management by implementing session regeneration to prevent session fixation during login.
- Added detailed logging for session regeneration, save operations, and response headers to aid in debugging.
- Ensured the user is re-established in the new session and included session cookie details in the response for better traceability.
This commit is contained in:
Chamika J
2025-08-06 10:47:33 +05:30
parent 5b00d83847
commit 11a31e5a6d
1 changed files with 56 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
worklenz-backend/src/controllers/auth-controller.ts
View File

@@ -249,6 +249,18 @@ export default class AuthController extends WorklenzControllerBase {
}); });
} }
// Regenerate session to prevent session fixation
const oldSessionId = req.sessionID;
req.session.regenerate((regenErr) => {
if (regenErr) {
console.log("Session regeneration error:", regenErr);
}
console.log("Session regenerated from:", oldSessionId, "to:", req.sessionID);
// Re-establish the user in the new session
req.session.passport = { user: { id: user.id } };
console.log("=== LOGIN SUCCESSFUL ==="); console.log("=== LOGIN SUCCESSFUL ===");
console.log("Session ID after login:", req.sessionID); console.log("Session ID after login:", req.sessionID);
console.log("Session data after login:", req.session); console.log("Session data after login:", req.session);
@@ -261,22 +273,41 @@ export default class AuthController extends WorklenzControllerBase {
console.log("Sending response..."); console.log("Sending response...");
console.log("Response headers before send:", res.getHeaders()); console.log("Response headers before send:", res.getHeaders());
// Ensure session is saved before sending response // Ensure session is saved and cookie is set
req.session.save((saveErr) => { req.session.save((saveErr) => {
if (saveErr) { if (saveErr) {
console.log("Session save error:", saveErr); console.log("Session save error:", saveErr);
return res.status(500).send({
done: false,
message: "Session save failed",
body: null
});
} }
console.log("Session saved, cookie header:", res.getHeader('set-cookie'));
// Force the session cookie to be sent
const sessionName = process.env.SESSION_NAME || 'connect.sid';
const sessionCookie = req.sessionID;
console.log("Session saved successfully");
console.log("Session name:", sessionName);
console.log("Session ID to be sent:", sessionCookie);
// The session middleware should automatically set the cookie
// But let's check if it's being set
console.log("Response headers after save:", res.getHeaders());
console.log("Set-Cookie header:", res.getHeader('set-cookie'));
return res.status(200).send({ return res.status(200).send({
done: true, done: true,
message: "Login successful", message: "Login successful",
user, user,
authenticated: true, authenticated: true,
sessionId: req.sessionID // Include for debugging sessionId: req.sessionID, // Include for debugging
}); sessionCookie: sessionName // Include cookie name for debugging
}); });
}); });
}); // Close regenerate callback
}); // Close login callback
})(req, res, next); })(req, res, next);
} }