3 comments

[ 5.1 ms ] story [ 13.9 ms ] thread
Author here. We forked express-session to use JWT as session tokens and improve security [1, 2], notably:

- Prevent session fixation (e.g., when a user logs in a new token is emitted)

- Guarantee that destroyed sessions can't be re-saved (e.g., a logged out session can't become alive again)

- Reduce the impact of data theft from the store (stores hash(sessId) instead of sessId)

We put extra care on tests (well, as anyone should). This fork passes all tests of the original express-session and we added new tests to validate the new security guarantees. Feedback is very welcome.

[1] https://supertokens.io/blog/express-session-vs-supertokens-f...

[2] https://hackernoon.com/secure-sessions-in-javascript-forking...