-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fastify/sessions does not destroy automatically the sessions which already expired. #251
Comments
Automatic deletion is not provided for The following implementations should therefore be carried out.
Reference package: Notes: Depending on the database you use, it can be automatically deleted on the database side, so I think the session library does not take care of database-specific matters. |
Express-sessions automatically deletes the expired sessions. And if the fastify/sessions does not destroy them automatically, then what is the purpose of implementing destroy which the mandatory method for implementing your own session store (set, get, destroy), if it doesn't make sense, why fastify/sessions get us to implement it, what is the purpose? And checking if the session is expired in EVERY get request is unnecessary probably for 9 of 10 requests. And this is bad for the system. I guess it would be devouring for the server. |
The memory store of
I would like to hear the views of this library's contributors. |
I would need to investigate this. The cat is out of the bag, but please submit all potential vulnerabilities through proper channels and not via GH issues. |
@Prag1974 @mcollina Apparently there is a bug in the handling of https://github.com/fastify/session/blob/v10.8.0/lib/fastifySession.js#L85-L105 Therefore, if the |
Where are the proper channels, ? I will record a new video in details and appeal there with it. |
I know. But that is not the case. When the fastify session gives us a new session. That means the old one should be expired. But as in the video. We can access it and this is a vulnerability. Did you watch the video? |
https://github.com/fastify/session/security/policy. Even asking “where can I send a potential security issue privately” is better. |
Fixed as part of GHSA-pj27-2xvp-4qxg. |
Prerequisites
Fastify version
4.27
Plugin version
10.8.0
Node.js version
20.12.0
Operating system
Windows
Operating system version (i.e. 20.04, 11.3, 10)
11
Description
Fastify version: latest
Node.js version: 20.12.0
NPM version: 10.2.0
For other versions please check out the package.json file
I'm using TypeScript and I'm trying to build a session-based-authentication system. I used to use express, but I've found many reasons why fastify is much better. So I'm using fastify/session as a session package. I'm using Prisma to store sessions. I've connected prism as the session store of fastify/session. It works fine.
But the problem is that fastify/session does not delete expired sessions. Neither from memory nor from Prisma. Only cookies are deleted and that is thanks to fastify/cookies. Instead of deleting the session from the fastify/session store, it gives the user a new session. You can say that there is no problem here, after all, it does not use the old session. But when we replace the cookie with the cookie of the old session and advance the expire time of the cookie (because fastify/cookies removes the cookie if we don't advance it), it still allows us to access the old session. (Check the video) This is a security vulnerability. How can I solve this?
And its not about the session storage which I implement (prisma storage), if you delete this storage (that means you are using memory storage by default) same vulnerability is still valid. How can I solve this? or any source can you suggest?
Check index.ts file, the related video and package.json file.
If fastify/session automatically destroys expired sessions, there will be no problem, but the destroy method I implemented in the store is never triggered. Can you help me?
Apologies for my english. Thanks.
Video (or you can also watch on youtube: https://youtu.be/EXB0mhckHoc):
Accessingoldsession.mp4
index.ts (which also available to inspect in github : GitHub Repo):
Link to code that reproduces the bug
No response
Expected Behavior
No response
The text was updated successfully, but these errors were encountered: