Closed jeffwilcox closed 4 years ago
The Passport library by default does not prevent against session fixation. Since the default experience for passport-azure-ad is to use cookies, I thought it would be helpful for the README example to clearly regenerate the session.
passport-azure-ad
This is not a vulnerability with the library itself, but rather just extra caution common to the passport ecosystem per https://github.com/jaredhanson/passport/issues/192.
The Passport library by default does not prevent against session fixation. Since the default experience for
passport-azure-adis to use cookies, I thought it would be helpful for the README example to clearly regenerate the session.This is not a vulnerability with the library itself, but rather just extra caution common to the passport ecosystem per https://github.com/jaredhanson/passport/issues/192.