Insecure session management - Elixir

Need

To prevent unauthorized access and potential misuse of session tokens.

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug.Session for HTTP session management
3. Usage of session token reuse in server even after user logout

Description

Insecure Code Example

defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code sets up a session using Plug.Session. However, when a user logs out, their session is not properly invalidated, leaving it vulnerable to misuse.

Steps

1. When a user logs out, their session should be invalidated to prevent further use of their session token.
2. This can be done using the Plug.Conn.delete_session/2 function, which removes the session data from the client.

Secure Code Example

defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> delete_session(:user)
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code correctly invalidates the session when the user logs out, preventing further use of their session token.

References

Last updated

2023/09/18