We are using the ring-session middleware with https://github.com/clj-commons/friend and it mostly works fine. However, one thing it doesn't do is to regenerate the session when users log in. This is a common advice in order to prevent session fixation attacks. Is anybody doing that (using Friend or other tools)? If so, how?
https://github.com/ring-clojure/ring/wiki/Sessions
> If you simply want to recreate the session, due to a privilege escalation for example, add the :recreate key to the session metadata. This will cause the session identifier that is sent to the browser to change.
(defn handler [request]
(-> (response "Session identifier recreated")
(assoc :session (vary-meta (:session request) assoc :recreate true))))
It comes down to using ring.middleware.session/wrap-session:
https://github.com/ring-clojure/ring/blob/f7dfe7c9b98c335e4573e61d94c523d5df9a6667/ring-core/src/ring/middleware/session.clj#L44
adding the meta k/v [:recreate true] causes the session store to delete the old and make a new one
thanks
do you remember why you chose friend over buddy or other auth solutions?
I wasn’t there then but I think it was kinda arbitrary- those we simply the libraries available at that time