-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address Session Fixation Concerns #900
Conversation
No reviews, No assignees. No mention of BREAKING CHANGE This is a REPO having 20k+ stars, 1.2k forks, consistent 1M+ weekly downloads on npm Please make BREAKING CHANGES more visible and informed. |
I'm the only person who maintains this project.
It's listed here: https://github.com/jaredhanson/passport/blob/master/CHANGELOG.md#060---2022-05-20
and here: https://medium.com/passportjs/fixing-session-fixation-b2b68619c51d |
changelog was updated after the version was released. I appreciate your efforts and response, but for such a popular module |
@sushiljainam honestly it's on you for upgrading a non stable package without checking what changed first, don't come at the maintainer like that when you're clearly the one in the wrong https://semver.org/#spec-item-4
|
I agree to you @tgroutars, Also my suggestion, maintainer should add few more maintainers who can welcome community contributions faster as he gets less time, which is completely okay. Anyway, I learned this new thing about version starting with 0 (0.y.z), So yeah, I'll take care in future. And Respect for @jaredhanson for creating and maintaining such a popular OSS. |
@sushiljainam |
The passport.js changes in `0.6.0` have breaking changes related to protecting against "Session Fixation". - jaredhanson/passport#900 - https://medium.com/passportjs/fixing-session-fixation-b2b68619c51d The assumption for the fix in this commit is that our example project here only has the session storage as its storage mechanism, so we're not quite vulnerable to the same thing since the storage goes away when the local project is stopped.
* chore(deps): bump passport from 0.4.0 to 0.6.0 Bumps [passport](https://github.com/jaredhanson/passport) from 0.4.0 to 0.6.0. - [Release notes](https://github.com/jaredhanson/passport/releases) - [Changelog](https://github.com/jaredhanson/passport/blob/master/CHANGELOG.md) - [Commits](jaredhanson/passport@v0.4.0...v0.6.0) --- updated-dependencies: - dependency-name: passport dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * fix: use `keepSessionInfo` to maintain session The passport.js changes in `0.6.0` have breaking changes related to protecting against "Session Fixation". - jaredhanson/passport#900 - https://medium.com/passportjs/fixing-session-fixation-b2b68619c51d The assumption for the fix in this commit is that our example project here only has the session storage as its storage mechanism, so we're not quite vulnerable to the same thing since the storage goes away when the local project is stopped. Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jaime Lopez <[email protected]>
This PR addresses session fixation concerns. Anytime a user logs in or logs out, the session is regenerated (resulting in a new session ID).