passport: Sessions do not always have regenerate() and save() cauing a fault

I am the author of MeshCentral and use cookie-session along with Password. A recent commit in Password is causing crashes because cookie-session does not have a regenerate() or save() method.

See this issue: https://github.com/expressjs/cookie-session/issues/166

Could Passport revert to the old style of setting session values unless these methods exist? Thanks.

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 20
Comments: 18 (1 by maintainers)

Commits related to this issue

build: Update cookie-sesson to v2 - Also downgrade Passport from 0.6.0 -> 0.5.0 - Incompatability between the two - see details here https://github.com/jaredhanson/passport/issues/904 — committed to theopensystemslab/planx-new by DafyddLlyr 2 years ago
Update deprecated npm packages and fix npm audit vulnerabilities (#69) One moderate-level vulnerability requiring an upgrade to passport 0.6.0 was not fixed due to a bug in that version of passport t... — committed to stripe/stripe-connect-rocketrides by mpark-stripe 2 years ago
Revert "Update passport to 0.6.0" This reverts commit 13ced8b0c00bb26edca6fc947a9c9ecfa5642b45. This is needed as 0.6.0 is broken, and needs a fix to how session handling works. This is covered in ht... — committed to FAIMS/FAIMS3-conductor by aragilar 2 years ago
Merge #246 246: Revert "Update passport to 0.6.0" r=aragilar a=aragilar This reverts commit 13ced8b0c00bb26edca6fc947a9c9ecfa5642b45. This is needed as 0.6.0 is broken, and needs a fix to how sessio... — committed to FAIMS/FAIMS3-conductor by bors[bot] 2 years ago
Add patch-package and temp fix for passport.js 0.6.0 bug patch-package allows seamless patching of npm modules (dependencies) without having to fork them. You can modify the files in node_modules and... — committed to sahat/hackathon-starter by YasharF a year ago

Most upvoted comments

We have faced the same issue in our project and solved it with a non-intrusive workaround until it is fixed officially. As the error message indicates, the regenerate function is missing. Subsequently, the save method is missing too. Therefore, we provide a dummy implementation of those two functions.

This workaround allowed us to upgrade to the newest version and therefore get rid of the security vulnerability CVE-2022-25896

Posting it here, maybe it helps somebody

app.use(cookieSession({
    // ...
}))
// register regenerate & save after the cookieSession middleware initialization
app.use(function(request, response, next) {
    if (request.session && !request.session.regenerate) {
        request.session.regenerate = (cb) => {
            cb()
        }
    }
    if (request.session && !request.session.save) {
        request.session.save = (cb) => {
            cb()
        }
    }
    next()
})

+72

philippkrauss on Nov 8, 2022

Hi, I was wondering if there are any updates on this issue, we need to upgrade to 0.6.0 due to snyk finding, however we can’t due to this issue

+28

zsepton on Jul 15, 2022

Thanks for the report. My intent here is to make the session manager pluggable (it is already by setting passport._sm, but will add a public method in a future release). This would allow session management to be plugged in similarly to strategies, which would allow targeting different session implementations (such as cookie-session).

I’ll look into implementing a cookie-session-based session manager. For now, I’d suggest pinning to the 0.5.x release of Passport.

+16

jaredhanson on May 23, 2022

Hello, any update on this issue? The workaround to 0.5.x is vulnerable to CVE-2022-25896. Any plan to to support cookie-session-like session manager? It is listed in express’s official docs for session management. It would great if both strategies are supported. Otherwise, a persistent storage is required to use passport.js for session management.

+13

mingchia-andy-liu on Sep 25, 2022

Would be nice to have this fixed so that the lib can be updated to 0.6.x+ which includes a fix for security vulnerability with moderate severity

mannyvergel on Nov 2, 2022

Also currently facing this error.

ICEPrey on Jul 28, 2022

Can anyone suggest an alternative for this passport library? There doesn’t seem to be any effort to fix this.

mtrezza on Sep 25, 2022

My intent here is to make the session manager pluggable (it is already by setting passport._sm, but will add a public method in a future release). This would allow session management to be plugged in similarly to strategies, which would allow targeting different session implementations (such as cookie-session).

We’re looking for ways to mitigate the CVE while the ecosystem adopts passport 0.6, has the public method to set SessionManager been released?

spicycode on Oct 20, 2022

Hello , any news on this fix ???

gabisinhas on Mar 8, 2024

@simllll What jaredhanson proposed above would allow you to do that, by providing a SessionManager that does not call regenerate.

soren121 on Jun 2, 2022

@simllll What jaredhanson proposed above would allow you to do that, by providing a SessionManager that does not call regenerate.

What is an example of a session manager that does not call regenerate?

alexshenker on Jul 31, 2022