Refactor sessions to frequently rotate

In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
2025-07-07 22:42:49 +02:00 · 2025-07-07 22:42:49 +02:00 · 1775fac5fd
commit 1775fac5fd
parent d9b78bff69
18 changed files with 168 additions and 73 deletions
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@ -3,9 +3,16 @@
 	SPDX-License-Identifier: AGPL-3.0-or-later
 */
 import type { H3Event } from "h3";
-import { nextSessionId, readSessions, readSubscriptions, type ServerSession, type ServerUser, writeSessions, writeSubscriptions } from "~/server/database";
-
-const oneYearSeconds = 365 * 24 * 60 * 60;
+import {
+	nextSessionId,
+	readSessions,
+	readSubscriptions,
+	readUsers,
+	type ServerSession,
+	type ServerUser,
+	writeSessions,
+	writeSubscriptions
+} from "~/server/database";

 async function removeSessionSubscription(sessionId: number) {
 	const subscriptions = await readSubscriptions();
@ -40,48 +47,105 @@ export async function clearServerSession(event: H3Event) {

 export async function setServerSession(event: H3Event, account: ServerUser) {
 	const sessions = await readSessions();
+	const runtimeConfig = useRuntimeConfig(event);
 	await clearServerSessionInternal(event, sessions);

+	const now = Date.now();
 	const newSession: ServerSession = {
-		account,
+		accountId: account.id,
+		access: account.type,
+		expiresAtMs: now + runtimeConfig.sessionExpiresTimeout * 1000,
+		discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
 		id: await nextSessionId(),
 	};

 	sessions.push(newSession);
 	await writeSessions(sessions);
-	await setSignedCookie(event, "session", String(newSession.id), oneYearSeconds)
+	await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
 }

-export async function refreshServerSession(event: H3Event, session: ServerSession) {
-	await setSignedCookie(event, "session", String(session.id), oneYearSeconds)
+async function rotateSession(event: H3Event, sessions: ServerSession[], session: ServerSession) {
+	const runtimeConfig = useRuntimeConfig(event);
+	const users = await readUsers();
+	const account = users.find(user => user.id === session.accountId);
+	const now = Date.now();
+	const newSession: ServerSession = {
+		accountId: account?.id,
+		access: account?.type ?? "anonymous",
+		expiresAtMs: now + runtimeConfig.sessionExpiresTimeout * 1000,
+		discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
+		id: await nextSessionId(),
+	};
+	session.successor = newSession.id;
+	sessions.push(newSession);
+	await writeSessions(sessions);
+	await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
+	return newSession;
 }

-export async function getServerSession(event: H3Event) {
+export async function getServerSession(event: H3Event, ignoreExpired: boolean) {
 	const sessionCookie = await getSignedCookie(event, "session");
 	if (sessionCookie) {
 		const sessionId = parseInt(sessionCookie, 10);
 		const sessions = await readSessions();
-		return sessions.find(session => session.id === sessionId);
+		const session = sessions.find(session => session.id === sessionId);
+		if (session) {
+			if (!ignoreExpired && session.successor !== undefined) {
+				throw createError({
+					statusCode: 403,
+					statusMessage: "Forbidden",
+					message: "Session has been taken by another agent.",
+				});
+			}
+			const now = Date.now();
+			if (now >= session?.discardAtMs) {
+				return undefined;
+			}
+			if (!ignoreExpired && now >= session?.expiresAtMs) {
+				return await rotateSession(event, sessions, session);
+			}
+		}
+		return session;
 	}
 }

-export async function requireServerSession(event: H3Event) {
-	const session = await getServerSession(event);
+export async function requireServerSession(event: H3Event, message: string) {
+	const session = await getServerSession(event, false);
 	if (!session)
 		throw createError({
-			status: 401,
-			message: "Account session required",
+			statusCode: 401,
+			statusMessage: "Unauthorized",
+			message,
 		});
 	return session;
 }

+export async function requireServerSessionWithUser(event: H3Event) {
+	const message = "User session required";
+	const session = await requireServerSession(event, message);
+	const users = await readUsers();
+	const account = users.find(user => user.id === session.accountId);
+	if (session.accountId === undefined || !account)
+		throw createError({
+			statusCode: 401,
+			statusMessage: "Uauthorized",
+			message,
+		});
+	return { ...session, accountId: session.accountId };
+}
+
+
 export async function requireServerSessionWithAdmin(event: H3Event) {
-	const session = await requireServerSession(event);
-	if (session.account.type !== "admin") {
+	const message = "Admin session required";
+	const session = await requireServerSession(event, message);
+	const users = await readUsers();
+	const account = users.find(user => user.id === session.accountId);
+	if (session.access !== "admin" || account?.type !== "admin") {
 		throw createError({
 			statusCode: 403,
 			statusMessage: "Forbidden",
+			message,
 		});
 	}
-	return session;
+	return { ...session, accountId: session.accountId };
 }