Insecure Session Management After Password Change

Need

Ensure security after password change

Context

Usage of Elixir 1.12 for functional programming
Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

defmodule MyApp.Accounts do
  def change_password(user, new_password) do
    user
    |> change()
    |> put_change(:password, new_password)
    |> Repo.update()
  end
end

The code demonstrates a password change functionality which does not invalidate the session after the password change. If an attacker had compromised this session, they would maintain control even after the legitimate user has changed their password.

Steps

Ensure that the session is invalidated or renewed after the password change
This could involve destroying the current session and forcing the user to log in again with their new password

Compliant code

defmodule MyApp.Accounts do
  def change_password(conn, user, new_password) do
    user
    |> change()
    |> put_change(:password, new_password)
    |> Repo.update()
    |> case do
         {:ok, _user} ->
           MyAppWeb.SessionController.clear_session(conn)
         _ ->
           conn
       end
  end
end

The code now includes a function call to clear the session after the password change. This forces any user, legitimate or attacker, to re-authenticate after the password change, effectively locking out any attacker that had compromised the previous session.

References

295.Insecure session management - Change Password

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​