fix: session regeneration (#12864)

Co-authored-by: Matt Kane <[email protected]>
Co-authored-by: Emanuele Stoppa <[email protected]>

Author: 3 people

.changeset/hot-baboons-own.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes a bug where the session ID wasn't correctly regenerated

packages/astro/src/core/session.ts

@@ -182,9 +182,8 @@ export class AstroSession<TDriver extends SessionDriverName = any> {
 		const oldSessionId = this.#sessionID;
 
 		// Create new session
-		this.#sessionID = undefined;
+		this.#sessionID = crypto.randomUUID();
 		this.#data = data;
-		this.#ensureSessionID();
 		await this.#setCookie();
 
 		// Clean up old session asynchronously

packages/astro/test/sessions.test.js

@@ -0,0 +1,47 @@
+import assert from 'node:assert/strict';
+import { before, describe, it } from 'node:test';
+import testAdapter from './test-adapter.js';
+import { loadFixture } from './test-utils.js';
+
+describe('Astro.session', () => {
+	/** @type {import('./test-utils').Fixture} */
+	let fixture;
+
+	before(async () => {
+		fixture = await loadFixture({
+			root: './fixtures/sessions/',
+			output: 'server',
+			adapter: testAdapter(),
+		});
+	});
+
+	describe('Production', () => {
+		let app;
+		before(async () => {
+			await fixture.build();
+			app = await fixture.loadTestAdapterApp();
+		});
+
+		async function fetchResponse(path, requestInit) {
+			const request = new Request('http://example.com' + path, requestInit);
+			const response = await app.render(request);
+			return response;
+		}
+
+		it('can regenerate session cookies upon request', async () => {
+			const firstResponse = await fetchResponse('/regenerate', { method: 'GET' });
+			const firstHeaders = Array.from(app.setCookieHeaders(firstResponse));
+			const firstSessionId = firstHeaders[0].split(';')[0].split('=')[1];
+
+			const secondResponse = await fetchResponse('/regenerate', {
+				method: 'GET',
+				headers: {
+					cookie: `astro-session=${firstSessionId}`,
+				},
+			});
+			const secondHeaders = Array.from(app.setCookieHeaders(secondResponse));
+			const secondSessionId = secondHeaders[0].split(';')[0].split('=')[1];
+			assert.notEqual(firstSessionId, secondSessionId);
+		});
+	});
+});