Session Fixation

Need

Prevent session hijacking by securing session cookies.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Phoenix framework for web request handling

• Usage of Plug.Session for session management

Description

1. Non compliant code

defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    case MyApp.Authenticator.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> redirect(to: "/welcome")...

This Elixir/Phoenix code does not handle session cookies securely. The session cookie is not regenerated after login, which allows an attacker to fixate a session, and then hijack the user session once the victim logs in.

2. Steps

• Regenerate the session cookie after login to prevent session fixation.

• This can be done by deleting the old session and creating a new one.

3. Secure code example

defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    case MyApp.Authenticator.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)...

This secure Elixir/Phoenix code example regenerates the session cookie after a successful login. The call to 'configure_session(renew: true)' ensures a new session is created, preventing session fixation.

References

• 280. Session Fixation

On this page