Description
Even though a value of iron_session_id in cookie is empty, SessionStorage doesn't generate new session id.
Browser sends a cookie if value is not set. In this situation, SessionStorage generates a new session id and send a header Set-Cookie: .... But SessionStorage uses an empty session id as valid, and then store some values in associating with an empty key. It is buggy I think.
Additionally, if a value of iron_session_id isn't empty, Calling set method (ex. req.session.set(T)) in web application, store some values in associating with the value of iron_session_id. It may be correct. But there is a vulnerable to attack "session fixation" potentially, so it is fear to use this library for user authorization.
FYI, this is document about Session fixation: https://www.owasp.org/index.php/Session_fixation
A better solution I think is that SessionStorage also provides a method to use session id that be specified by Web application.
Thanks for the awesome library.
Version of iron-sessionstorage
iron-sessionstorage = {version="0.6.6", features=["redis-backend"]}