Insecure Object Reference - Session Management

Need

To prevent unauthorized users from closing sessions of other users

Context

Usage of Elixir 1.12 for building scalable and fault-tolerant applications
Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

defmodule SessionManager do
  def logout_user(conn, email) do
    # Clearing the session
    conn
    |> put_flash(:info, "Logged out successfully.")
    |> configure_session(drop: true)
    |> redirect(to: "/")
  end
end

In this insecure code, the logout_user function logs out a user based on the email provided. This is insecure because if an attacker knows a user's email, they can log out the user's session.

Steps

Use a secure identifier, like a session token, to identify the user for the logout operation
Implement checks to validate that the session being terminated matches the user performing the operation

Compliant code

defmodule SessionManager do
  def logout_user(conn, session_token) do
    user = get_user_from_session_token(session_token)
    if conn.assigns.current_user == user do
      # Clearing the session
      conn
      |> put_flash(:info, "Logged out successfully.")
      |> configure_session(drop: true)
      |> redirect(to: "/")
    else
      # Do not allow logging out other users' sessions
    end
  end

  defp get_user_from_session_token(session_token) do
    # Logic to get the user from the session token
  end
end

In the secure version of the code, the system checks whether the session being terminated belongs to the user initiating the logout operation.

References

328.Insecure object reference - Session management

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​