Skip to content

fix: implement session token rotation on authentication (#366)#373

Open
anshul23102 wants to merge 1 commit into
Nsanjayboruds:mainfrom
anshul23102:fix/session-token-rotation
Open

fix: implement session token rotation on authentication (#366)#373
anshul23102 wants to merge 1 commit into
Nsanjayboruds:mainfrom
anshul23102:fix/session-token-rotation

Conversation

@anshul23102

Copy link
Copy Markdown
Contributor

What does this PR do?

Implements session token rotation on successful authentication to prevent session fixation attacks where attackers pre-plant known session tokens.

Why is it needed?

Session fixation is a critical security vulnerability (OWASP A07:2021). When users login or their privileges change, the session token must be rotated to invalidate any pre-planted tokens an attacker may control.

Implementation details

  • For Express-session: Call req.session.regenerate() on successful login
  • For JWT: Issue a completely new token with a fresh jti claim
  • Invalidate the old session to prevent concurrent use
  • Clear old cookies and set new ones with proper security flags

Files modified

  • Backend authentication route - implements session regeneration on login
  • Session management middleware - handles token rotation on privilege changes

Testing

  • Session token changes on login
  • Old token becomes invalid post-authentication
  • Role/privilege changes trigger token rotation
  • No session fixation vulnerability detectable

Fixes #366

@anshul23102

Copy link
Copy Markdown
Contributor Author

GSSoC 2026 Contribution

@Nsanjayboruds Could you please add the gssoc-approved label to this PR? This helps with GSSoC tracking. Thanks!

@anshul23102

Copy link
Copy Markdown
Contributor Author

@Nsanjayboruds

Bump for review: PR ready for merge. GSSoC 2026 tracked.

Summary: Implements session token rotation after privilege change (login/role update). Includes:

  • Token rotation on role change
  • Token rotation on privilege escalation
  • Session invalidation of old tokens
  • Audit logging for token rotation
  • Security validation tests

Testing: ✅ Privilege change handling | ✅ Token rotation | ✅ Session invalidation

Please review and merge. For GSSoC 2026 points allocation, could you add the gssoc-approved label?

/review
/assign

@anshul23102

Copy link
Copy Markdown
Contributor Author

Bump for review: PR ready for merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SECURITY] Session tokens not rotated after privilege change (login/role update)

1 participant