Insecure Object Reference - Session Management

Need

To prevent unauthorized users from closing sessions of other users

Context

• Usage of Elixir 1.12 for building scalable and fault-tolerant applications

• Usage of Phoenix Framework 1.6 for web development

Description

1. Non compliant code

defmodule SessionManager do
  def logout_user(conn, email) do
    # Clearing the session
    conn
    |> put_flash(:info, "Logged out successfully.")
    |> configure_session(drop: true)
    |> redirect(to: "/")
end...

In this insecure code, the `logout_user` function logs out a user based on the email provided. This is insecure because if an attacker knows a user's email, they can log out the user's session.

2. Steps

• Use a secure identifier, like a session token, to identify the user for the logout operation

• Implement checks to validate that the session being terminated matches the user performing the operation

3. Secure code example

defmodule SessionManager do
  def logout_user(conn, session_token) do
    user = get_user_from_session_token(session_token)
    if conn.assigns.current_user == user do
      # Clearing the session
      conn
      |> put_flash(:info, "Logged out successfully.")
      |> redirect(to: "/")...

In the secure version of the code, the system checks whether the session being terminated belongs to the user initiating the logout operation.

References

• 328. Insecure Object Reference - Session Management

On this page