Sensitive Information Sent Via URL Parameters - Session

Need

Prevent unauthorized access to user sessions.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Phoenix framework for web request handling
Usage of Guardian for JWT session management

Description

Non compliant code

defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    jwt = MyApp.SessionContext.create_jwt(user_params)
    redirect(conn, to: "/welcome?jwt=#{jwt}")
  end
end

This Elixir/Phoenix code does not handle JWT session tokens securely. It sends the JWT as a URL parameter which can be cached by the browser or logged in server logs. This exposes the token to potential theft.

Steps

Don't send sensitive information such as JWTs in the URL.
Instead, use secure mechanisms such as HTTP headers or cookies.

Compliant code

defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    jwt = MyApp.SessionContext.create_jwt(user_params)
    conn = put_resp_header(conn, "authorization", "Bearer #{jwt}")
    redirect(conn, to: "/welcome")
  end
end

This secure Elixir/Phoenix code example sends the JWT as an HTTP header. This prevents it from being exposed in the URL or cached by the browser.

References

276.Sensitive information sent via URL parameters - Session

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​