Skip to main content

Insecure session management

Need

To prevent unauthorized access and potential misuse of session tokens.

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug.Session for HTTP session management
  • Usage of session token reuse in server even after user logout

Description

Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code sets up a session using Plug.Session. However, when a user logs out, their session is not properly invalidated, leaving it vulnerable to misuse.

Steps

  • When a user logs out, their session should be invalidated to prevent further use of their session token.
  • This can be done using the Plug.Conn.delete_session/2 function, which removes the session data from the client.

Compliant code

defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> delete_session(:user)
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code correctly invalidates the session when the user logs out, preventing further use of their session token.

References

Last updated on