Insecure session expiration time

Need

Prevent unauthorized access to user information and actions.

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug.Session for managing session data in Elixir applications

• Usage of a server with indefinite session persistence

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch
  get "/" do...

This code uses the Plug.Session to manage sessions but does not set a timeout for session expiration. This means that sessions will remain active indefinitely, which can be exploited by an attacker.

2. Steps

• Use the 'expires' option in the Plug.Session plug to set a timeout for session expiration.

• Set the timeout to a reasonable value, such as 5 minutes.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie, expires: 5 * 60

  plug :match
  plug :dispatch
  get "/" do...

This code correctly sets a timeout for session expiration using the 'expires' option in the Plug.Session plug. After 5 minutes of inactivity, sessions will expire and cannot be used again, preventing unauthorized access.

References

• 068. Insecure session expiration time

On this page