HIGH session fixationfeathersjs

Session Fixation in Feathersjs

Scan for session fixation in feathersjs

How Session Fixation Manifests in Feathersjs

Session fixation in Feathersjs applications typically occurs through improper session management during authentication flows. The vulnerability arises when an attacker can force a user to use a known session ID, allowing the attacker to hijack the session after the user authenticates.

In Feathersjs, this often manifests in authentication hooks and service configurations. Consider a common pattern where authentication is handled manually without proper session invalidation:

const { authenticate } = require('@feathersjs/authentication');

app.service('users').hooks({
  before: {
    create: [authenticate('jwt')],
    login: [
      authenticate('local'),
      async (context) => {
        // Vulnerable: session ID not regenerated
        const { user } = context.result;
        context.result.user = await context.app.service('users').get(user.id);
      }
    ]
  }
});

The vulnerability appears when a fixed session ID is accepted without regeneration. An attacker could create a session, obtain the session ID, and trick a victim into authenticating with that session. Feathersjs applications using express-session or similar middleware are particularly vulnerable if they don't regenerate session IDs upon authentication.

Another manifestation occurs in Feathersjs when using the authentication service without proper session handling. The default configuration may not invalidate existing sessions when a user logs in from a new device or location:

app.configure(authentication({
  jwt: {
    header: { typ: 'access' },
    audience: 'https://yourdomain.com',
    issuer: 'feathers',
    algorithm: 'HS256',
    expiresIn: '1d'
  }
}));

Without session invalidation logic, an attacker who obtains a session ID through various means (network sniffing, XSS, or social engineering) can maintain access even after the legitimate user changes their password. This is especially problematic in Feathersjs applications that maintain long-lived sessions for "remember me" functionality.

Session fixation also appears in Feathersjs when using custom authentication strategies that don't properly handle session state. For example:

class CustomStrategy extends Strategy {
  async authenticate(authentication, params) {
    const { email, password } = authentication.payload;
    const user = await this.app.service('users').find({
      email, password
    });
    
    // Vulnerable: existing session not invalidated
    if (user) {
      return this.success(user);
    }
    return this.error(new Error('Invalid credentials'));
  }
}

This pattern allows an attacker to fixate a session before authentication completes, maintaining access to the authenticated session.

Feathersjs-Specific Detection

Detecting session fixation vulnerabilities in Feathersjs requires examining both code patterns and runtime behavior. The middleBrick API security scanner specifically tests for session fixation by attempting to authenticate with pre-existing session IDs and monitoring whether the server accepts them without regeneration.

Code analysis for session fixation in Feathersjs should focus on authentication hooks and service configurations. Look for patterns where session IDs are accepted without validation or regeneration. The middleBrick CLI tool can scan your Feathersjs application for these patterns:

npx middlebrick scan http://localhost:3030

# Or scan specific authentication endpoints
npx middlebrick scan http://localhost:3030/authentication

The scanner tests for session fixation by creating sessions, attempting authentication with those sessions, and verifying whether the server properly invalidates and regenerates session IDs. It checks common Feathersjs authentication patterns including JWT, local, and custom strategies.

Runtime detection involves monitoring session behavior during authentication. Use middleware to log session ID changes:

const sessionLogger = async (context) => {
  const oldSessionId = context.params.session?.id;
  const result = await context.app.service('authentication').create(context.data, context.params);
  const newSessionId = context.params.session?.id;
  
  if (oldSessionId && oldSessionId === newSessionId) {
    console.warn('Potential session fixation: session ID not regenerated during authentication');
  }
  return result;
};

middleBrick's scanning engine specifically tests Feathersjs applications by simulating the following attack pattern: create a session, authenticate with that session, then verify whether the session ID changes. If the session ID remains the same, the application is vulnerable to session fixation.

The scanner also checks for proper session timeout handling and concurrent session management, which are related to session fixation vulnerabilities. It verifies that Feathersjs applications properly invalidate sessions when users log out or when sessions expire.

Feathersjs-Specific Remediation

Remediating session fixation in Feathersjs requires implementing proper session management throughout the authentication lifecycle. The most critical fix is regenerating session IDs upon successful authentication. Feathersjs provides several approaches to achieve this.

First, use the built-in authentication service with proper configuration:

app.configure(authentication({
  session: true,
  jwt: {
    header: { typ: 'access' },
    audience: 'https://yourdomain.com',
    issuer: 'feathers',
    algorithm: 'HS256',
    expiresIn: '1d'
  }
}));

Then implement a hook to regenerate session IDs after authentication:

const { authenticate } = require('@feathersjs/authentication');

app.service('authentication').hooks({
  before: {
    create: [
      authenticate('jwt'),
      async (context) => {
        // Regenerate session ID after successful authentication
        if (context.params.session) {
          await context.params.session.regenerate();
        }
      }
    ]
  }
});

For custom authentication strategies, ensure session regeneration is part of the success flow:

class CustomStrategy extends Strategy {
  async authenticate(authentication, params) {
    const { email, password } = authentication.payload;
    const user = await this.app.service('users').find({
      email, password
    });
    
    if (user) {
      // Regenerate session to prevent fixation
      if (params.session) {
        await params.session.regenerate();
      }
      return this.success(user);
    }
    return this.error(new Error('Invalid credentials'));
  }
}

Implement proper session timeout and invalidation policies. Use Feathersjs's session management capabilities to automatically expire sessions:

app.configure(expressSession({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: {
    secure: true,
    httpOnly: true,
    maxAge: 24 * 60 * 60 * 1000 // 24 hours
  },
  rolling: true,
  unset: 'destroy'
}));

Add logout hooks to ensure sessions are properly destroyed:

app.service('authentication').hooks({
  after: {
    remove: [
      async (context) => {
        // Destroy session on logout
        if (context.params.session) {
          await context.params.session.destroy();
        }
      }
    ]
  }
});

For applications using JWT tokens with Feathersjs, implement token rotation to prevent fixation attacks:

const jwt = require('jsonwebtoken');

const rotateToken = async (context) => {
  const oldToken = context.params.jwt;
  if (oldToken) {
    // Verify and issue new token
    const payload = jwt.verify(oldToken, process.env.JWT_SECRET);
    const newToken = jwt.sign(payload, process.env.JWT_SECRET, {
      expiresIn: '1d'
    });
    context.result.accessToken = newToken;
  }
  return context;
};

Finally, implement IP and user agent validation to detect session hijacking attempts. While not directly preventing fixation, this adds an additional security layer:

const validateSession = async (context) => {
  const { session } = context.params;
  if (session && session.user) {
    const { ip, userAgent } = context.params;
    if (session.ip !== ip || session.userAgent !== userAgent) {
      await session.destroy();
      throw new Error('Session validation failed');
    }
  }
  return context;
};
Scan for session fixation in feathersjs Free API security scan

Frequently Asked Questions

How does middleBrick detect session fixation vulnerabilities in Feathersjs applications?
middleBrick tests for session fixation by creating a session, then attempting to authenticate with that same session ID. It verifies whether the Feathersjs application properly regenerates the session ID during authentication. The scanner also checks for improper session handling in authentication hooks and service configurations. If the session ID remains unchanged after authentication, middleBrick flags this as a vulnerability with specific remediation guidance for Feathersjs applications.
Can session fixation occur with JWT tokens in Feathersjs, or is it only a concern for session-based authentication?
While session fixation is primarily associated with server-side sessions, JWT-based Feathersjs applications can still be vulnerable to related attacks. If JWT tokens are stored in predictable locations (like cookies without proper flags) or if token rotation isn't implemented, an attacker could fixate a token. middleBrick tests for these scenarios by examining token handling patterns and verifying that Feathersjs applications implement proper token lifecycle management, including secure storage and rotation mechanisms.

Related Pages

Session Fixation in Feathersjs on Fly IoSession fixation in Feathersjs with Fly Io: causes and Fly Io-specific secure code fixes including session regeneration Session Fixation in Feathersjs on SupabaseExplore session fixation in Feathersjs with Supabase, understand the vulnerability, and apply Supabase-specific remediatSession Fixation in Feathersjs on RailwayExplore session fixation in Feathersjs on Railway, understand the vulnerability mechanics, and apply concrete code fixesPci Dss: Session Fixation in FeathersjsSession fixation in FeathersJS explained with PCI DSS controls; practical remediation code examples to regenerate sessioSoc2: Session Fixation in FeathersjsExplore SOC 2 controls for session fixation in FeathersJS, with code examples for secure session regeneration and cookieIso 27001: Session Fixation in FeathersjsExplore ISO 27001 controls for session fixation in Feathersjs with concrete remediation code and how middleBrick detectsCis: Session Fixation in FeathersjsCIS guidance on session fixation with Feathersjs: causes and secure remediation with code examples.Session Fixation in Feathersjs with Jwt TokensExplore session fixation with FeathersJS and JWT tokens: risks, real-world patterns, and code fixes for secure authenticSession Fixation in Feathersjs with Api KeysExplore session fixation in FeathersJS with API keys, understand the risk, and apply concrete code fixes to bind sessionSession Fixation in Feathersjs with Hmac SignaturesSession fixation in FeathersJS with Hmac Signatures: causes, risks, and code fixes including binding, nonce validation, Session Fixation in Feathersjs with Basic AuthSession fixation in Feathersjs with Basic Auth risks and remediation guidance, including code examples for secure sessioSession Fixation in Feathersjs with CockroachdbSession fixation in Feathersjs with Cockroachdb: causes and Cockroachdb-specific remediation with code examples.