Session#regenerate does not call SessionStore#destroy

[SpraxDev]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.26.2

Plugin version

10.7.0

Node.js version

20.11.1

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

5.15.150-1-MANJARO

Description

I am trying to regenerate a session in one of my routes to make sure whatever data is in there is reset and I would prefer to also get a new session id as I am essentially restarting the session.

But as far as I can see there is no way for me, without manually interacting with the SessionStore myself, to delete the old session id.

#regenerate only generates a new session for me and stores it.

Steps to Reproduce

Something like:

this.fastify.get('/regenerate', async (request, reply) => {
  await request.session.regenerate();
  request.session.set('userId', 123);
  await request.session.save();

  return reply.send();
});

For easier understanding on what is happening in the store:

    this.fastify.register(FastifySession, {
      secret: '...',
      store: {
        set: (sessionId, session, callback) => {
          console.log(`#set(${JSON.stringify(sessionId)}, ${JSON.stringify(session)}`);
          callback();
        },
        get: (sessionId, callback) => {
          console.log(`#get(${JSON.stringify(sessionId)})`);
          callback(null, null);
        },
        destroy: (sessionId, callback) => {
          console.log(`#destroy(${JSON.stringify(sessionId)})`);
          callback();
        }
      }
    });

Expected Behavior

I am essentially generating a completely new session with different ID and data/content.

I'd expect the session to be automatically deleted from the store as it is no longer used/needed.

As far as I can see, there is also no good workaround for this as calling await request.session.destroy(); before regenerating the session sets it to null causing TypeError: Cannot read properties of null (reading 'regenerate')

[gabor-s]

A quick and dirty workaround:

let session = request.session;
await session.destroy();
await session.regenerate();
session = null; // just to make sure you don't use it or session = request.session

[rktyt]

This seems to have the potential to lead to a security problem.
Depending on the user code, this could potentially lead to session fixation.

It seems that no PR has been created for a long time, but I think it should be addressed.
However, I am unable to create a PR myself.

---

Since express-session works in a similar way, it might not be a problem.

[SpraxDev]

Since express-session works in a similar way, it might not be a problem.

To me, this feels very unexpected. Best-case, a stale session with nobody using it remains in the store.
Worst-case, somebody unexpected keeps using it and the session remains valid (maybe gets auto refreshed/extended).

I'd personally prefer it to be destroyed by-default with an option to not destroy it, in case somebody has a different use-case.
Or at least document that behavior, maybe with a code snippet that shows destroying the old/current session before calling regenerate.

[mcollina]

A PR would be welcomed.