Best Practice for Session ID Regeneration to Prevent Session Fixation Attacks #66

kaiserbh · 2023-10-28T16:45:30Z

kaiserbh
Oct 28, 2023

Hello,

So I'm interested in implementing security best practices, specifically against session fixation attacks. In other libraries (axum-session), there is often a method to regenerate the session ID upon successful user login for example session.regenerate(). However, I couldn't find a straightforward way to achieve this with tower-session.

I see that there are methods like session.clear(), session.delete(), and session.flush(). Could you please clarify which of these methods, if any, would be most effective for preventing session fixation attacks (read more on session fixation) by regenerating the session ID?

Regards,
KB

Answered by maxcountryman

Oct 28, 2023

You're looking for cycle_id, this will regenerate the session ID.

View full answer

maxcountryman · 2023-10-28T16:53:21Z

maxcountryman
Oct 28, 2023
Maintainer

You're looking for cycle_id, this will regenerate the session ID.

1 reply

kaiserbh Oct 28, 2023
Author

Thank you for the quick and insightful reply! cycle_id is exactly what I was looking for. Much appreciated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Best Practice for Session ID Regeneration to Prevent Session Fixation Attacks #66

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Best Practice for Session ID Regeneration to Prevent Session Fixation Attacks #66

kaiserbh Oct 28, 2023

Replies: 1 comment · 1 reply

maxcountryman Oct 28, 2023 Maintainer

kaiserbh Oct 28, 2023 Author

kaiserbh
Oct 28, 2023

Replies: 1 comment 1 reply

maxcountryman
Oct 28, 2023
Maintainer

kaiserbh Oct 28, 2023
Author