bo/worklenz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): improve session regeneration and response handling in login process

Browse Source 
- Enhanced session management by implementing session regeneration to prevent session fixation during login.
- Added detailed logging for session regeneration, save operations, and response headers to aid in debugging.
- Ensured the user is re-established in the new session and included session cookie details in the response for better traceability.
This commit is contained in:
Chamika J
2025-08-06 10:47:33 +05:30
parent 5b00d83847
commit 11a31e5a6d
1 changed files with 56 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
worklenz-backend/src/controllers/auth-controller.ts
View File

@@ -249,34 +249,65 @@ export default class AuthController extends WorklenzControllerBase {
}); });
} }
console.log("=== LOGIN SUCCESSFUL ==="); // Regenerate session to prevent session fixation
console.log("Session ID after login:", req.sessionID); const oldSessionId = req.sessionID;
console.log("Session data after login:", req.session); req.session.regenerate((regenErr) => {
console.log("Is authenticated:", req.isAuthenticated()); if (regenErr) {
console.log("User in session:", req.user); console.log("Session regeneration error:", regenErr);
// Add build version
user.build_v = FileConstants.getRelease();
console.log("Sending response...");
console.log("Response headers before send:", res.getHeaders());
// Ensure session is saved before sending response
req.session.save((saveErr) => {
if (saveErr) {
console.log("Session save error:", saveErr);
} }
console.log("Session saved, cookie header:", res.getHeader('set-cookie'));
return res.status(200).send({ console.log("Session regenerated from:", oldSessionId, "to:", req.sessionID);
done: true,
message: "Login successful", // Re-establish the user in the new session
user, req.session.passport = { user: { id: user.id } };
authenticated: true,
sessionId: req.sessionID // Include for debugging console.log("=== LOGIN SUCCESSFUL ===");
console.log("Session ID after login:", req.sessionID);
console.log("Session data after login:", req.session);
console.log("Is authenticated:", req.isAuthenticated());
console.log("User in session:", req.user);
// Add build version
user.build_v = FileConstants.getRelease();
console.log("Sending response...");
console.log("Response headers before send:", res.getHeaders());
// Ensure session is saved and cookie is set
req.session.save((saveErr) => {
if (saveErr) {
console.log("Session save error:", saveErr);
return res.status(500).send({
done: false,
message: "Session save failed",
body: null
});
}
// Force the session cookie to be sent
const sessionName = process.env.SESSION_NAME || 'connect.sid';
const sessionCookie = req.sessionID;
console.log("Session saved successfully");
console.log("Session name:", sessionName);
console.log("Session ID to be sent:", sessionCookie);
// The session middleware should automatically set the cookie
// But let's check if it's being set
console.log("Response headers after save:", res.getHeaders());
console.log("Set-Cookie header:", res.getHeader('set-cookie'));
return res.status(200).send({
done: true,
message: "Login successful",
user,
authenticated: true,
sessionId: req.sessionID, // Include for debugging
sessionCookie: sessionName // Include cookie name for debugging
});
}); });
}); }); // Close regenerate callback
}); }); // Close login callback
})(req, res, next); })(req, res, next);
} }