Insecure session expiration time
Need
Enforce secure session expiration time
Context
• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in a Node.js application
Description
1. Non compliant code
import 'package:shelf/shelf.dart' as shelf;
shelf.Response handleRequest(shelf.Request request) {
  var session = request.context['session'];
  // Set the session data
  session['username'] = 'user1';
  return shelf.Response.ok('Session Created');...In the above code snippet, we are using the `shelf` framework to handle HTTP requests in a Dart backend application. The function `handleRequest` is used to handle incoming requests. We are setting the session data with a username value. However, there is no mechanism in place to expire the session after a certain period of inactivity. This means that the user's session will remain active indefinitely until the server is restarted or the session is manually destroyed. This is a security vulnerability known as "Insecure Session Expiration". The risk here is that an attacker could potentially hijack an active session and impersonate the user. This could lead to unauthorized actions being performed under the user's identity. To mitigate this vulnerability, we should implement a mechanism to automatically expire user sessions after a certain period of inactivity. In this case, the requirement is to expire the session after 5 minutes of inactivity.
2. Steps
• Import a package that provides session management with expiration time, such as 'shelf_session'.
• Create a session middleware with a specified timeout duration of 5 minutes.
• Apply the session middleware to your Shelf pipeline.
• In the 'handleRequest' function, retrieve the session from the request context.
• Set the session data as you currently do, but now it will automatically expire after 5 minutes of inactivity.
3. Secure code example
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_session/shelf_session.dart';
// Create a session middleware with a specified timeout duration of 5 minutes.
var sessionMiddleware = sessionMiddlewareBuilder(
  new InMemorySessionStore(),
  cookieName: 'session',
);...The updated code now includes the 'shelf_session' package, which provides session management with expiration time. A session middleware is created with a specified timeout duration of 5 minutes. This middleware is then added to the Shelf pipeline using the `addMiddleware` function. In the `handleRequest` function, the session is retrieved from the request context. The session data is set as before, but now, due to the session middleware, the session will automatically expire after 5 minutes of inactivity. This ensures that user sessions are secure and do not remain active indefinitely, reducing the risk of unauthorized access.
References
• 068. Insecure session expiration time