req.session.regenerate is not a function since upgrade to 0.6.0

[nickyblissAviva]

We have been using passport for some time within our application and have had no issues but once upgraded from 0.5.2 to 0.6.0 we are suddenly seeing an error when submitting authentication.

C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\sessionmanager.js:28
  req.session.regenerate(function(err) {
              ^

TypeError: req.session.regenerate is not a function
    at SessionManager.logIn (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\sessionmanager.js:28:15)
    at IncomingMessage.req.login.req.logIn (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\http\request.js:39:26)
    at Strategy.strategy.success (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\middleware\authenticate.js:256:13)
    at verified (C:\stash\NTTSites\sites\fw-standards\node_modules\passport-local\lib\strategy.js:83:10)
    at Strategy.runAuth [as _verify] (C:\stash\NTTSites\sites\fw-standards\utils\passport-authentication.js:60:10)

Our passport-authentication.js just initialises passport within expressJS and sets some local strategies.

I have rolled back to 0.5.3 and our application works fine again.

Environment

• Operating System: Windows 10
• Node version: 16.13.2
• passport version: 0.6.0

[jaredhanson]

What are you using for session middleware?

[nickyblissAviva]

cookie-session 2.0.0

[jaredhanson]

Thanks for the report. This is a duplicate of #904. I'd recommend pinning to 0.5.x, until I've had a chance to release an update with the new features described on the initial issue.

[spraju92]

Passport 0.5.0 has a significant vulnerability, and when we update to 0.6.0, we see the error "TypeError: req.session.regenerate is not a function." Does that mean that anything relating to the session create issue needs to be manually edited?

[raphaelpreston]

Any update for March 2023? I see that @VottonDev has a fix in their separate repo..

[VottonDev]

Any update for March 2023? I see that @VottonDev has a fix in their separate repo..

Yeah, I'm using: https://github.com/joeyguerra/passport#missing-regenerate-on-req temporarily till passport fixes it upstream and that works for me so far when using the cookie-session module.

[hier01]

@VottonDev, what's the best way to apply the fix in joeyguerra's fork?

[VottonDev]

@VottonDev, what's the best way to apply the fix in joeyguerra's fork?

Well I've changed my package.json passport to
"passport": "github:joeyguerra/passport#missing-regenerate-on-req",

The PR for the fix is here, which is how I found it:
#947

[japthind]

I am getting the below error when I logout from my application. I am using express-session module to manage the sessions. According to the above discussion is there a permanent fix for this or do I need to downgrade from Passport 0.6.0

/node_modules/passport/lib/sessionmanager.js:83
req.session.regenerate(function(err) {
^
TypeError: Cannot read properties of undefined (reading 'regenerate')
at Immediate. (/node_modules/passport/lib/sessionmanager.js:83:17)
at process.processImmediate (node:internal/timers:471:21)

[japthind]

Hi All,

Can anyone please confirm the status of this issue as this is currently blocking one of our production deployments? Is there a permanent fix for this or do we need to downgrade to 0.5.x version?

[faizur11786]

I encountered a similar problem with version 0.6 of Passport. To resolve it, I downgraded to version 0.5.0

[imartinezmorales-loom]

I ended up resolving this issue for our upgrade to passport 0.6.0 by stubbing the regenerate and save methods. I patched the dependency in our repository in the lib/sessionmanager.js file as such:

  options = options || {};

+  this._delegate = options.delegate || {
+        regenerate: function(req, cb) {
+            cb();
+        },
+        save: function(req, cb) {
+            cb();
+        }
+    };

And then propagating those changes to the various calls to save and regenerate in the file.

[recursiveway]

@imartinezmorales-loom do we simply have to add these lines or have to change/remove something as well

[imartinezmorales-loom]

@recursiveway - I actually ended up writing a middleware function that I pull into our express server. The middleware function is just a stub similar to the one above:

export const passportMiddleware = (request, response, next) => {
  if (request.session && !request.session.regenerate) {
    request.session.regenerate = cb => {
      cb();
    };
  }

  if (request.session && !request.session.save) {
    request.session.save = cb => {
      cb();
    };
  }

  next();
};

[tonmoydeb404]

instead of using cookie-session I've used express-session as a session middleware with the latest passport package and this solves the problem.

[radoslavirha]

@tonmoydeb404 but they serve different purposes, it's not a solution.

[tanosaur]

Can't believe this still isn't fixed?

[AlvesJorge]

+1 Above

[raulrene]

instead of using cookie-session I've used express-session as a session middleware with the latest passport package and this solves the problem.

Yes but it should also work with cookie-session, it did until 0.5.0. It's not so easy for everyone to switch the session manager, especially on large projects. Hopefully this gets fixed sometime soon

[daneedev]

So should I change session manager from cookie-session to express-session, or stay on passport 0.5?

[lalitkishork73]

@drebel, it shows me, Error: req#logout requires a callback function

[yevon]

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

[daneedev]

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.

Have a nice day,
Daniel Kroufek

[yevon]

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.

Have a nice day, Daniel Kroufek

Thanks for that! I will try to replace it

[asaxena1415]

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.
Have a nice day, Daniel Kroufek

Thanks for that! I will try to replace it

express-session does not store cookies on the client side, the session gets destroyed every time the serve restarts, this is not a solution.

[yevon]

With express jwt you can store the coockie as http only, I have it working now.

[zerone0x]

express-session

Thanks for your suggestion