Recently we have discovered a auth vulnerability in our app becuause of the use of the express-session package.
Long story short, express-session uses the cookie connection.sid to manage its session and session's data.
What happens is that if two users (A and B) are authenticated and user A gets the connection.sid cookie of user B, user A will run a session as if he's user B- he'll have all user B privileges. In other words, user A is hijacking the session of user B
From reading over the web this is a known challenge. Is there any ways to mitigate it using express-session built-in functionalities? Or do I need to build an in-house middleware to act as an extra secure layer?