Concurrent sessions

Need

Prevent multiple simultaneous sessions from the same user account to maintain traceability and non-repudiation of user actions.

Context

• Usage of Elixir for building scalable and concurrent applications

• Usage of Plug and Cowboy for HTTP request and response handling

• Session management for user data

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  post '/login' do
    if user do...

This code creates a new session for a user every time they log in, even if they already have an active session. This could lead to Concurrent Sessions.

2. Steps

• Track the number of active sessions for each user.

• If a user tries to create a new session while they already have one, end the existing session or deny the creation of a new one.

• Notify the user when a new session is created from a different location.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug :match
  plug :dispatch

  post '/login' do
    if user do...

This code prevents concurrent sessions by checking if a user already has an active session when they try to log in. If they do, it ends the existing session before creating a new one.

References

• 062. Concurrent sessions

On this page