Replies: 1 comment 1 reply
-
|
When you're using createCookieSessionStorage the session data is stored in the cookie itself, so there's no session ID in that case. But when you're using any other way to create your session storage the session ID is generated any time a new session object is created, this happens when the cookie header you're parsing with So if you want to force a new session ID you could create a new session export async function action({ request }: ActionFunctionArgs) {
let currentSession = await sessionStorage.getSession(request.headers.get("cookie"));
let newSession = await sessionStorage.getSession();
Object.entries(currentSession.data).forEach(([key, value]) => {
newSession.set(key, value);
});
await sessionStorage.destroySession(currentSession);
return redirect("/", {
headers: { "set-cookie": await sessionStorage.commitSession(newSession) }
});
}By calling destroySession with the current session object that will delete it from the place the session data is stored, and there's no need to send to the browser because you're overwriting the session cookie with the new session ID, so destroySession is there just to clear it from the storage. |
Beta Was this translation helpful? Give feedback.
-
|
Yes that woud work, thanks for pointing me at |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am reading about session fixation. While Remix doesn't accept session id through get / post variables, one suggested counter measure is to to regenerate session id on user login, and some frameworks already do this (Laravel afaik).
I hope Remix could provide an api to regenerate the sesion id, probably on the session object, thank you!
Beta Was this translation helpful? Give feedback.
All reactions