Add feature of regeneration for #34

[palmtale]

Add feature of regeneration for #34

[coveralls]

Coverage remained the same at 100.0% when pulling dcede0c on so-glad:feature/regeneration into 777c8e8 on koajs:master.

[palmtale]

Just await ctx.regenerateSession() to regen a new session. I've tested in an env of Mac koa^2.2.0 with redis store and cookie store.
But not write any new code of test module

[dead-horse]

can't we just use ctx.session = {} instead of regeneration ?

[palmtale]

@dead-horse
No, no, no, no, no.
1st, In real effect, I've tested, it's not OK, did not do regeneration, just clean the store of the correspond user session key, because of the set() function using this.create(val, externalKey) .

2nd, In the semantics, ctx.session={}, as well as set(), did correct logic. But what we want to do in 'regeneration', is to regenerate a new session key/code, for avoiding hack attack.

[dead-horse]

@palmtale need to add test cases for this feature

[dead-horse]

I don't want to add too many properties in ctx, maybe we can move this method to ctx.session.regenerate(), and it should be an async function.

[coveralls]

Coverage remained the same at 100.0% when pulling 919968a on so-glad:feature/regeneration into 777c8e8 on koajs:master.

[palmtale]

@dead-horse How about this, set signal _requireRegenerate in session, and do it in commit as the same as save.
And also added the same test module in cookie and external store.
Actually, it's not required to clear the content of session, if really need, use ctx.session={};

[smh]

@dead-horse Any hope of getting this merged? As it is now, we cannot use this module as we need a way to regenerate the session key when we authenticate the user. As @palmtale says, setting ctx.session = {} will empty the session, but the session key remains the same, and this leaves us open to session fixation attacks.

[lehni]

Would be great to see this merged, also due to jaredhanson/passport#907