I'm using a Node.js server and I'm developing with the Connect framework. I'm trying to regenerate SIDs after a given interval to avoid session fixation. There's a method called req.session.regenerate which, according to the docs, should do just that.

« To regenerate the session simply invoke the method, once complete a new SID and Session instance will be initialized at req.session »

Example code:

req.session.regenerate(function(err){
    // will have a new session here
 });

After calling the above method, I check the value of req.sessionID, only to find that the value is the same as before.

If I try to get the sessionID from within req.session.regenerate and write it to the terminal I get a new SID, which is even more perplexing ~ I.E why would you want the SID generated only within the scope of the callback? If I assign the value to a global variable, it's value is undefined.

I've a feeling that it's something really obvious that I'm overlooking.

Any help is appreciated.

Just send the response back in the callback of the regenerate function. Since the session regeneration is async, when you return to the client it will still have the older session.

req.session.regenerate(function(err) {
                                req.session.myid = "myvalue";
                                res.simpleJSON(200, status);
                        });

In all likelihood your problem is related to this issue:

https://github.com/senchalabs/connect/pull/263

In any case, the behavior you describe is exactly the same as reported in the issue.