Session fixation in fastify-passport
High severity
GitHub Reviewed
Published
Apr 21, 2023
in
fastify/fastify-passport
•
Updated Nov 9, 2023
Package
Affected versions
< 1.1.0
>= 2.0.0, < 2.3.0
Patched versions
1.1.0
2.3.0
Description
Published to the GitHub Advisory Database
Apr 21, 2023
Reviewed
Apr 21, 2023
Published by the National Vulnerability Database
Apr 21, 2023
Last updated
Nov 9, 2023
Applications using
@fastify/passport
for user authentication, in combination with@fastify/session
as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers.Details
fastify applications rely on the
@fastify/passport
library for user authentication. The login and user validation are performed by theauthenticate
function. When executing this function, thesessionId
is preserved between the pre-login and the authenticated session. Network and same-site attackers can hijack the victim's session by tossing a validsessionId
cookie in the victim's browser and waiting for the victim to log in on the website.Fix
As a solution, newer versions of
@fastify/passport
regeneratesessionId
upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session.Credits
References