Advisories for Npm/@Fastify/Secure-Session package

2024

@fastify/secure-session: Reuse of destroyed secure session cookie

At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new …