From 440d8a54f7b3d75dd16decb7d9d29e3724bff394 Mon Sep 17 00:00:00 2001
From: Chris Kanich <kaytwo@gmail.com>
Date: Thu, 2 Jan 2025 04:39:17 -0600
Subject: [PATCH] fix: session regeneration (#12864)

Co-authored-by: Matt Kane <m@mk.gg>
Co-authored-by: Emanuele Stoppa <my.burning@gmail.com>
---
 .changeset/hot-baboons-own.md        |  5 +++
 packages/astro/src/core/session.ts   |  3 +-
 packages/astro/test/sessions.test.js | 47 ++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/hot-baboons-own.md
 create mode 100644 packages/astro/test/sessions.test.js

diff --git a/.changeset/hot-baboons-own.md b/.changeset/hot-baboons-own.md
new file mode 100644
index 0000000000..271a396065
--- /dev/null
+++ b/.changeset/hot-baboons-own.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes a bug where the session ID wasn't correctly regenerated
diff --git a/packages/astro/src/core/session.ts b/packages/astro/src/core/session.ts
index 9ac7327c59..33117a47a0 100644
--- a/packages/astro/src/core/session.ts
+++ b/packages/astro/src/core/session.ts
@@ -182,9 +182,8 @@ export class AstroSession<TDriver extends SessionDriverName = any> {
 		const oldSessionId = this.#sessionID;
 
 		// Create new session
-		this.#sessionID = undefined;
+		this.#sessionID = crypto.randomUUID();
 		this.#data = data;
-		this.#ensureSessionID();
 		await this.#setCookie();
 
 		// Clean up old session asynchronously
diff --git a/packages/astro/test/sessions.test.js b/packages/astro/test/sessions.test.js
new file mode 100644
index 0000000000..8490e78ba3
--- /dev/null
+++ b/packages/astro/test/sessions.test.js
@@ -0,0 +1,47 @@
+import assert from 'node:assert/strict';
+import { before, describe, it } from 'node:test';
+import testAdapter from './test-adapter.js';
+import { loadFixture } from './test-utils.js';
+
+describe('Astro.session', () => {
+	/** @type {import('./test-utils').Fixture} */
+	let fixture;
+
+	before(async () => {
+		fixture = await loadFixture({
+			root: './fixtures/sessions/',
+			output: 'server',
+			adapter: testAdapter(),
+		});
+	});
+
+	describe('Production', () => {
+		let app;
+		before(async () => {
+			await fixture.build();
+			app = await fixture.loadTestAdapterApp();
+		});
+
+		async function fetchResponse(path, requestInit) {
+			const request = new Request('http://example.com' + path, requestInit);
+			const response = await app.render(request);
+			return response;
+		}
+
+		it('can regenerate session cookies upon request', async () => {
+			const firstResponse = await fetchResponse('/regenerate', { method: 'GET' });
+			const firstHeaders = Array.from(app.setCookieHeaders(firstResponse));
+			const firstSessionId = firstHeaders[0].split(';')[0].split('=')[1];
+
+			const secondResponse = await fetchResponse('/regenerate', {
+				method: 'GET',
+				headers: {
+					cookie: `astro-session=${firstSessionId}`,
+				},
+			});
+			const secondHeaders = Array.from(app.setCookieHeaders(secondResponse));
+			const secondSessionId = secondHeaders[0].split(';')[0].split('=')[1];
+			assert.notEqual(firstSessionId, secondSessionId);
+		});
+	});
+});