Insecure session management

Need

To prevent unauthorized access and potential misuse of session tokens.

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug.Session for HTTP session management

• Usage of session token reuse in server even after user logout

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch
  get "/logout" do...

This code sets up a session using Plug.Session. However, when a user logs out, their session is not properly invalidated, leaving it vulnerable to misuse.

2. Steps

• When a user logs out, their session should be invalidated to prevent further use of their session token.

• This can be done using the Plug.Conn.delete_session/2 function, which removes the session data from the client.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch
  get "/logout" do...

This code correctly invalidates the session when the user logs out, preventing further use of their session token.

References

• 076. Insecure session management

On this page