Insecure session management

Need

Secure session management

Context

• Usage of Dart 2.0 for building high-performance, cross-platform applications

• Usage of Shelf for managing and organizing data in Node.js applications

• Usage of shelf_session for managing session data in a Shelf application

Description

1. Non compliant code

import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_session/shelf_session.dart';

// Create session middleware
var sessionMiddleware = sessionMiddlewareMemory();

var handler = const shelf.Pipeline()
    .addHandler(_handleRequest);...

The above Dart code uses the `shelf` and `shelf_session` packages to create a simple server with session management. The server listens on `localhost` port `8080` and responds to each request with a greeting message that includes the session token. The vulnerability lies in the `_handleRequest` function, where a session token is retrieved from the request but no expiration is set on it. This means that even after a user terminates their session, the token remains valid and can be used to make subsequent requests. This is a serious security issue as it could allow an attacker to reuse old session tokens to impersonate users and perform actions on their behalf.

2. Steps

• Introduce a mechanism to invalidate the session token once the user logs out or after a certain period of inactivity.

• You can use the 'expire' method provided by the 'shelf_session' package to set an expiration time for the session token.

• Ensure that the server checks the validity of the session token with each request. If the token is expired, the server should reject the request.

• Implement a mechanism to refresh the session token periodically while the user is active. This can help prevent session hijacking.

3. Secure code example

import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_session/shelf_session.dart';

// Create session middleware
var sessionMiddleware = sessionMiddlewareMemory();

var handler = const shelf.Pipeline()
    .addHandler(_handleRequest);...

The updated code introduces a mechanism to handle session expiration and refresh the session token periodically. In the `_handleRequest` function, we first retrieve the session from the request context. We then check if the session token is expired using the `isExpired` property of the `Session` object. If the session token is expired, we return a 403 Forbidden response. Next, we refresh the session token using the `refresh` method of the `Session` object. This ensures that the session token is periodically updated while the user is active, which can help prevent session hijacking. Finally, we return a response with a greeting message that includes the session token. This is just for demonstration purposes and in a real-world application, you would typically not include the session token in the response. In the `main` function, we start the server and listen for requests on localhost port 8080. The server uses the `handler` function to handle incoming requests, which includes the session middleware for managing sessions.

References

• 076. Insecure session management

On this page