Implementing session regeneration with oidc-middleware

Hi Okta team,

Firstly thank you for such an excellent product.

Is there any handling built in for regenerating the session on login, a la req.session.regenerate() , built in with oidc-middleware or passport.js? This is to mitigate session fixation.

From my testing I think I’ve already circumvented the issue as:

  • I don’t save anything to my session store before login, so before the first login there is no express-session cookie in the browser.
  • On logout I call req.session.destroy() so, even though the old express-session cookie hangs around in the browser, a new cookie is always generated as there’s nothing referencing the old one in the session store.

But I do want to be as bulletproof as possible.

Previously I tried to customize my route using callback.handler, but ran into some errors. I’d be happy to provide code if that is the right way to go about regenerating the session.

Cheers and keep up the great work.