-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sessions do not always have regenerate() and save() cauing a fault #904
Comments
Thanks for the report. My intent here is to make the session manager pluggable (it is already by setting I'll look into implementing a |
Thanks. I am pinning to 0.5.x until then! Much appreciated. |
We are also facing issues with the regenerate call happneing "automatically" during login and logout, would it be an option to add an option to disable this behaviour? |
@simllll What jaredhanson proposed above would allow you to do that, by providing a SessionManager that does not call regenerate. |
- Also downgrade Passport from 0.6.0 -> 0.5.0 - Incompatability between the two - see details here jaredhanson/passport#904
Also currently facing this error. |
What is an example of a session manager that does not call regenerate? |
I think one of the main ones is cookie-session. They have also filed an issue to figure out next steps depending on what passport decides to do. expressjs/cookie-session#166 |
One moderate-level vulnerability requiring an upgrade to passport 0.6.0 was not fixed due to a bug in that version of passport that broke the authentication flow: jaredhanson/passport#904
Hello, any update on this issue? The workaround to 0.5.x is vulnerable to CVE-2022-25896. Any plan to to support |
Can anyone suggest an alternative for this passport library? There doesn't seem to be any effort to fix this. |
This reverts commit 13ced8b. This is needed as 0.6.0 is broken, and needs a fix to how session handling works. This is covered in jaredhanson/passport#904 Signed-off-by: James Tocknell <aragilar@gmail.com>
246: Revert "Update passport to 0.6.0" r=aragilar a=aragilar This reverts commit 13ced8b. This is needed as 0.6.0 is broken, and needs a fix to how session handling works. This is covered in jaredhanson/passport#904 Co-authored-by: James Tocknell <aragilar@gmail.com>
We're looking for ways to mitigate the CVE while the ecosystem adopts passport 0.6, has the public method to set SessionManager been released? |
Would be nice to have this fixed so that the lib can be updated to 0.6.x+ which includes a fix for security vulnerability with moderate severity |
I faced the problem that my session was overwritten after the passport.authenticate method. function authenticate(req, res, next) {
return passport.authenticate('local', (err, user) => {
// Copy Initial Session Data
const { flashedData, returnToUrl } = req.session;
if (err) {
return next(err);
}
if (!user) {
const flashData = {
status: 'error',
message: 'Authentication failed!',
};
return flashDataToSession(req, flashData, () => {
res.redirect('/auth/login');
});
}
return req.login(user, loginErr => {
if (loginErr) {
return next(loginErr);
}
// Keep initial Session data
req.session.flashedData = flashedData;
req.session.returnToUrl = returnToUrl;
return req.session.save(() => next());
});
})(req, res, next);
} |
We have faced the same issue in our project and solved it with a non-intrusive workaround until it is fixed officially. This workaround allowed us to upgrade to the newest version and therefore get rid of the security vulnerability CVE-2022-25896 Posting it here, maybe it helps somebody app.use(cookieSession({
// ...
}))
// register regenerate & save after the cookieSession middleware initialization
app.use(function(request, response, next) {
if (request.session && !request.session.regenerate) {
request.session.regenerate = (cb) => {
cb()
}
}
if (request.session && !request.session.save) {
request.session.save = (cb) => {
cb()
}
}
next()
}) |
Thanks for that. It has been working great. |
Hi is this bug fixed? |
patch-package allows seamless patching of npm modules (dependencies) without having to fork them. You can modify the files in node_modules and use patch-package to capture the changes and reapply them each time the module is installed. passport.js 0.6.0 currently has a bug that breaks the logout function. The maintainer hasn't had bandwidth to fix it, but there is a pull request in github that addresses the issue. The patch here applies the changes from the pull request to 0.6.0. Passport bug: jaredhanson/passport#904 Passport Fix/Pull Request: jaredhanson/passport#947
I'm facing this issue with the MongoStore, the downgrade to 0.5.3 is working but I would like to upgrade to the latest... any news? |
Hello , any news on this fix ??? |
this works for me thank you so much |
I am the author of MeshCentral and use
cookie-session
along with Password. A recent commit in Password is causing crashes becausecookie-session
does not have a regenerate() or save() method.See this issue: expressjs/cookie-session#166
Could Passport revert to the old style of setting session values unless these methods exist? Thanks.
The text was updated successfully, but these errors were encountered: