Passport v0.6.0 - Active Defense Against Session Fixation

[jaredhanson]

This release changes the session management functionality of passport to regenerate the session, thus issuing a new session ID, any time a user logs in or out. This actively defends against certain classes of session fixation attacks that were previously the application's responsibility (but often not implemented). Updating is highly recommended, as it improves overall security posture, but may require minor modifications to an application.

For more information, see the announcement on the blog.

[YC]

Hi @jaredhanson, I'm working on updating the typescript definitions for passport 0.6.0 (DefinitelyTyped/DefinitelyTyped#60562).
I'm wondering whether whether there's a valid use case for req.logout without a callback function.
I've looked up the documentation for req.logout but it was unclear on this issue.

[jaredhanson]

The only use case would be if you are not using session management, meaning there's no underlying artifacts like cookies to destroy. This would only be possible today if you unset the internal passport._sm variable (which references the session manager). I might start exposing this in a public way in the future, for apps that need it.