Reusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.

Always use req.session.regenerate(...); to start a new session when a user logs in or out.

The following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.

This code example solves the problem by not reusing the session, and instead calling req.session.regenerate() to ensure that the session is not reused.

OWASP: Session fixation

Stack Overflow: Creating a new session after authentication with Passport

jscrambler.com: Best practices for secure session management in Node