Sessions do not always have regenerate() and save() cauing a fault #904
Comments
|
Thanks for the report. My intent here is to make the session manager pluggable (it is already by setting I'll look into implementing a |
jaredhanson
added
bug
|
Thanks. I am pinning to 0.5.x until then! Much appreciated. |
|
We are also facing issues with the regenerate call happneing "automatically" during login and logout, would it be an option to add an option to disable this behaviour? |
|
@simllll What jaredhanson proposed above would allow you to do that, by providing a SessionManager that does not call regenerate. |
|
Hi, I was wondering if there are any updates on this issue, we need to upgrade to 0.6.0 due to snyk finding, however we can't due to this issue |
- Also downgrade Passport from 0.6.0 -> 0.5.0 - Incompatability between the two - see details here jaredhanson/passport#904
|
Also currently facing this error. |
What is an example of a session manager that does not call regenerate? |
|
I think one of the main ones is cookie-session. They have also filed an issue to figure out next steps depending on what passport decides to do. expressjs/cookie-session#166 |
One moderate-level vulnerability requiring an upgrade to passport 0.6.0 was not fixed due to a bug in that version of passport that broke the authentication flow: jaredhanson/passport#904
|
Hello, any update on this issue? The workaround to 0.5.x is vulnerable to CVE-2022-25896. Any plan to to support |
|
Can anyone suggest an alternative for this passport library? There doesn't seem to be any effort to fix this. |
This reverts commit 13ced8b. This is needed as 0.6.0 is broken, and needs a fix to how session handling works. This is covered in jaredhanson/passport#904 Signed-off-by: James Tocknell <aragilar@gmail.com>
246: Revert "Update passport to 0.6.0" r=aragilar a=aragilar This reverts commit 13ced8b. This is needed as 0.6.0 is broken, and needs a fix to how session handling works. This is covered in jaredhanson/passport#904 Co-authored-by: James Tocknell <aragilar@gmail.com>
We're looking for ways to mitigate the CVE while the ecosystem adopts passport 0.6, has the public method to set SessionManager been released? |
|
Would be nice to have this fixed so that the lib can be updated to 0.6.x+ which includes a fix for security vulnerability with moderate severity |
|
I faced the problem that my session was overwritten after the passport.authenticate method. function authenticate(req, res, next) {
return passport.authenticate('local', (err, user) => {
// Copy Initial Session Data
const { flashedData, returnToUrl } = req.session;
if (err) {
return next(err);
}
if (!user) {
const flashData = {
status: 'error',
message: 'Authentication failed!',
};
return flashDataToSession(req, flashData, () => {
res.redirect('/auth/login');
});
}
return req.login(user, loginErr => {
if (loginErr) {
return next(loginErr);
}
// Keep initial Session data
req.session.flashedData = flashedData;
req.session.returnToUrl = returnToUrl;
return req.session.save(() => next());
});
})(req, res, next);
} |
|
We have faced the same issue in our project and solved it with a non-intrusive workaround until it is fixed officially. This workaround allowed us to upgrade to the newest version and therefore get rid of the security vulnerability CVE-2022-25896 Posting it here, maybe it helps somebody app.use(cookieSession({
// ...
}))
// register regenerate & save after the cookieSession middleware initialization
app.use(function(request, response, next) {
if (request.session && !request.session.regenerate) {
request.session.regenerate = (cb) => {
cb()
}
}
if (request.session && !request.session.save) {
request.session.save = (cb) => {
cb()
}
}
next()
}) |
Thanks for that. It has been working great. |
|
Hi is this bug fixed? |
patch-package allows seamless patching of npm modules (dependencies) without having to fork them. You can modify the files in node_modules and use patch-package to capture the changes and reapply them each time the module is installed. passport.js 0.6.0 currently has a bug that breaks the logout function. The maintainer hasn't had bandwidth to fix it, but there is a pull request in github that addresses the issue. The patch here applies the changes from the pull request to 0.6.0. Passport bug: jaredhanson/passport#904 Passport Fix/Pull Request: jaredhanson/passport#947
|
I'm facing this issue with the MongoStore, the downgrade to 0.5.3 is working but I would like to upgrade to the latest... any news? |
|
Hello , any news on this fix ??? |
|
this works for me thank you so much |
I am the author of MeshCentral and use
cookie-sessionalong with Password. A recent commit in Password is causing crashes becausecookie-sessiondoes not have a regenerate() or save() method.See this issue: expressjs/cookie-session#166
Could Passport revert to the old style of setting session values unless these methods exist? Thanks.
The text was updated successfully, but these errors were encountered: