Insecure session management
Need
To prevent unauthorized access and potential misuse of session tokens.
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug.Session for HTTP session management
- Usage of session token reuse in server even after user logout
Description
Non compliant code
defmodule VulnerableApp do
use Plug.Router
plug Plug.Session, store: :cookie
plug :match
plug :dispatch
get "/logout" do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Logged out!")
end
end
This code sets up a session using Plug.Session. However, when a user logs out, their session is not properly invalidated, leaving it vulnerable to misuse.
Steps
- When a user logs out, their session should be invalidated to prevent further use of their session token.
- This can be done using the Plug.Conn.delete_session/2 function, which removes the session data from the client.
Compliant code
defmodule SecureApp do
use Plug.Router
plug Plug.Session, store: :cookie
plug :match
plug :dispatch
get "/logout" do
conn
|> delete_session(:user)
|> put_resp_content_type("text/plain")
|> send_resp(200, "Logged out!")
end
end
This code correctly invalidates the session when the user logs out, preventing further use of their session token.