Default configuration still leaks session fixation vectors in 2026.
The module is functional but its defaults belong in a museum. We document 3 practical CSRF variants that survive typical middleware stacks. Migrate, or harden aggressively.
§1 · Context
express-session is in more production deployments than it should be.
The defaults — secure: false, no explicit sameSite, no regeneration
on privilege change — were defensible in 2015. They are indefensible in
2026.
§2 · Three practical attacks
We demonstrate, with minimal example middleware stacks from the top 20
tutorials ranked by a major search engine, three CSRF variants that
survive out of the box. Each is a single request. Each produces a
privilege-assuming action on behalf of the logged-in victim. Full
reproduction in the appendix; the summary: SameSite=Lax is not
enough when the application routes the sensitive action through GET
because one example middleware stack wires POST → GET redirect.
§3 · Session fixation
The cookie-session cookie is not regenerated on privilege change by
default. The documented pattern for regeneration is four lines that
nobody copies correctly. Migrate to a framework that does this for you.
§4 · What to do
Use Lucia, next-auth with its hardened defaults, or a framework with
cookies-done-right by design. If migration is impossible, the hardened
configuration is documented in our gist — but nobody who has to consult
a gist to harden a library is going to remember to recheck it after the
next minor upgrade.