Concurrent sessions
Need
Prevent multiple simultaneous sessions from the same user account to maintain traceability and non-repudiation of user actions.
Context
- Usage of Elixir for building scalable and concurrent applications
- Usage of Plug and Cowboy for HTTP request and response handling
- Session management for user data
Description
Non compliant code
defmodule VulnerableApp do
use Plug.Router
plug :match
plug :dispatch
post '/login' do
user = authenticate_user(conn.params['username'], conn.params['password'])
if user do
session = start_session(user)
send_resp(conn, 200, 'Logged in')
else
send_resp(conn, 401, 'Unauthorized')
end
end
end
This code creates a new session for a user every time they log in, even if they already have an active session. This could lead to Concurrent Sessions.
Steps
- Track the number of active sessions for each user.
- If a user tries to create a new session while they already have one, end the existing session or deny the creation of a new one.
- Notify the user when a new session is created from a different location.
Compliant code
defmodule SecureApp do
use Plug.Router
plug :match
plug :dispatch
post '/login' do
user = authenticate_user(conn.params['username'], conn.params['password'])
if user do
end_existing_session(user)
session = start_session(user)
send_resp(conn, 200, 'Logged in')
else
send_resp(conn, 401, 'Unauthorized')
end
end
end
This code prevents concurrent sessions by checking if a user already has an active session when they try to log in. If they do, it ends the existing session before creating a new one.