Keep req.session.save non-enumerable

expressjs · Sep 8, 2014 · 5bc59f1 · 5bc59f1
1 parent cd6b087
commit 5bc59f1
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Keep `req.session.save` non-enumerable
   * Prevent session prototype methods from being overwritten
 
 1.8.0 / 2014-09-07

diff --git a/index.js b/index.js
@@ -286,11 +286,19 @@ function session(options){
     // wrap session methods
     function wrapmethods(sess) {
       var _save = sess.save;
-      sess.save = function save() {
+
+      function save() {
         debug('saving %s', this.id);
         savedHash = hash(this);
         _save.apply(this, arguments);
-      };
+      }
+
+      Object.defineProperty(sess, 'save', {
+        configurable: true,
+        enumerable: false,
+        value: save,
+        writable: true
+      });
     }
 
     // check if session has been modified

diff --git a/test/session.js b/test/session.js
@@ -223,6 +223,18 @@ describe('session()', function(){
     })
   })
 
+  it('should only have session data enumerable (and cookie)', function (done) {
+    var server = createServer(null, function (req, res) {
+      req.session.test1 = 1
+      req.session.test2 = 'b'
+      res.end(Object.keys(req.session).sort().join(','))
+    })
+
+    request(server)
+    .get('/')
+    .expect(200, 'cookie,test1,test2', done)
+  })
+
   describe('when response ended', function () {
     it('should have saved session', function (done) {
       var saved = false
@@ -483,7 +495,7 @@ describe('session()', function(){
             should(sid(res)).not.equal(val)
             done()
           })
-        }, 10)
+        }, 15)
       })
     })