From 697ed3bf37fed7ae7185aae8de9b9976637d013c Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 13 Apr 2021 21:32:16 -0400
Subject: [PATCH] feat: roll session identifier on login, as security best
 practice

see: https://owasp.org/www-community/attacks/Session_fixation
---
 src/controllers/authentication.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index a9263ffe72..0542355bb6 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -326,6 +326,9 @@ authenticationController.doLogin = async function (req, uid) {
 		return;
 	}
 	const loginAsync = util.promisify(req.login).bind(req);
+	const regenerateSession = util.promisify(req.session.regenerate).bind(req.session);
+
+	await regenerateSession();
 	await loginAsync({ uid: uid });
 	await authenticationController.onSuccessfulLogin(req, uid);
 };