You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The new behavior of always regenerating session ID on login described here and implemented here is breaking our application.
We have been using a custom login flow for social login in our desktop application that involves opening a webview, passing along the session ID, setting the session ID in the browser, performing a social login and then killing the webview. This sets the session as logged in to the user in the desktop program.
The new behavior sets the login to a new session ID with a set-cookie, that cannot safely be communicated back to our program, thus making this security update less secure for us.
Adressing session fixation is a good, but for our case we'd really like an option to turn auto-regeneration off for specific cases. We solved the issue for now by pinning the previous version.
Thank you for providing passport, we have been using it in production for 10+ years :-)
The text was updated successfully, but these errors were encountered:
The new behavior of always regenerating session ID on login described here and implemented here is breaking our application.
We have been using a custom login flow for social login in our desktop application that involves opening a webview, passing along the session ID, setting the session ID in the browser, performing a social login and then killing the webview. This sets the session as logged in to the user in the desktop program.
The new behavior sets the login to a new session ID with a set-cookie, that cannot safely be communicated back to our program, thus making this security update less secure for us.
Adressing session fixation is a good, but for our case we'd really like an option to turn auto-regeneration off for specific cases. We solved the issue for now by pinning the previous version.
Thank you for providing passport, we have been using it in production for 10+ years :-)
The text was updated successfully, but these errors were encountered: