Insecurely Generated Token

Need

Create secure, unpredictable session tokens to prevent reuse

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of Phoenix.Token for token generation and verification

Description

Non compliant code

defmodule InsecureToken do
  def generate_token(user_id) do
    user_id
    |> Integer.to_string
    |> String.reverse
  end
end

The generate_token function is insecure because it simply reverses the user_id and uses it as a token. This approach is predictable and can easily be reverse-engineered, which could allow an attacker to reuse a session token after 14 days.

Steps

Install the Phoenix.Token package if it's not already installed.
Use Phoenix.Token.sign/3 to generate a secure token, providing the user_id as the salt.
Use Phoenix.Token.verify/4 to verify tokens before use.

Compliant code

defmodule SecureToken do
  @secret_key_base "s3cr3t"

  def generate_token(user_id) do
    Phoenix.Token.sign(@secret_key_base, "user salt", user_id)
  end

  def verify_token(token, user_id) do
    Phoenix.Token.verify(@secret_key_base, "user salt", token, max_age: 14 * 24 * 60 * 60)
  end
end

The generate_token function now uses Phoenix.Token.sign/3 to generate a secure token, and verify_token uses Phoenix.Token.verify/4 to verify the token's integrity and timeliness. The token is cryptographically secure and unpredictable, and it cannot be reused after 14 days.

References

078.Insecurely generated token

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​