Insecure session expiration time
Need
Prevent unauthorized access to user information and actions.
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug.Session for managing session data in Elixir applications
- Usage of a server with indefinite session persistence
Description
Non compliant code
defmodule VulnerableApp do
use Plug.Router
plug Plug.Session, store: :cookie
plug :match
plug :dispatch
get "/" do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Hello world!")
end
end
This code uses the Plug.Session to manage sessions but does not set a timeout for session expiration. This means that sessions will remain active indefinitely, which can be exploited by an attacker.
Steps
- Use the 'expires' option in the Plug.Session plug to set a timeout for session expiration.
- Set the timeout to a reasonable value, such as 5 minutes.
Compliant code
defmodule SecureApp do
use Plug.Router
plug Plug.Session, store: :cookie, expires: 5 * 60
plug :match
plug :dispatch
get "/" do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Hello world!")
end
end
This code correctly sets a timeout for session expiration using the 'expires' option in the Plug.Session plug. After 5 minutes of inactivity, sessions will expire and cannot be used again, preventing unauthorized access.