Airbug. Login, Register, and Logout #111
Description
Login, Register, and Logout in a way that ensures that the session data held in the client's secure cookie, express session and handshake data session are the same.
Using secure cookies means that the cookie is not accessible on the client-side via javascript. An http request must be made to update the cookie.
In order to prevent session fixation attacks, we cannot simply update all socket connections that were previously established using a certain anonymous user session with the new session created after that anonymous user logged in or registered.
Current solution: Process login, register, and logout via ajax.
On login or register, regenerate the session and tell all socket connections associated with the original anonymous session to disconnect and connect again so that the handshake data is reset. Only the client computer/ browser combination that properly authenticated will have the new session id, which will grant them proper permissions. Other client computer/browsers using the old session id will continue to be that anonymous user on their socket connection.
On logout, the session should be regenerated and all socket connections associated with that session disconnected. The client should then reconnect. The new session should be associated with an anonymous user.