Insecure session expiration time - Elixir

Need

Prevent unauthorized access to user information and actions.

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug.Session for managing session data in Elixir applications
3. Usage of a server with indefinite session persistence

Description

Insecure Code Example

defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end

This code uses the Plug.Session to manage sessions but does not set a timeout for session expiration. This means that sessions will remain active indefinitely, which can be exploited by an attacker.

Steps

1. Use the 'expires' option in the Plug.Session plug to set a timeout for session expiration.
2. Set the timeout to a reasonable value, such as 5 minutes.

Secure Code Example

defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie, expires: 5 * 60

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end

This code correctly sets a timeout for session expiration using the 'expires' option in the Plug.Session plug. After 5 minutes of inactivity, sessions will expire and cannot be used again, preventing unauthorized access.

References

Last updated

2023/09/18