Sensitive Information Sent Via URL Parameters - Session
Need
Prevent unauthorized access to user sessions.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix framework for web request handling
- Usage of Guardian for JWT session management
Description
Non compliant code
defmodule MyApp.SessionController do
use MyApp, :controller
def create(conn, %{"user" => user_params}) do
jwt = MyApp.SessionContext.create_jwt(user_params)
redirect(conn, to: "/welcome?jwt=#{jwt}")
end
end
This Elixir/Phoenix code does not handle JWT session tokens securely. It sends the JWT as a URL parameter which can be cached by the browser or logged in server logs. This exposes the token to potential theft.
Steps
- Don't send sensitive information such as JWTs in the URL.
- Instead, use secure mechanisms such as HTTP headers or cookies.
Compliant code
defmodule MyApp.SessionController do
use MyApp, :controller
def create(conn, %{"user" => user_params}) do
jwt = MyApp.SessionContext.create_jwt(user_params)
conn = put_resp_header(conn, "authorization", "Bearer #{jwt}")
redirect(conn, to: "/welcome")
end
end
This secure Elixir/Phoenix code example sends the JWT as an HTTP header. This prevents it from being exposed in the URL or cached by the browser.