Security Controls Bypass or Absence - Session Invalidation
Need
To ensure proper session management and invalidate sessions appropriately
Context
- Usage of Elixir 1.12 for building scalable and concurrent applications
- Usage of Plug.Session for HTTP session management
Description
Non compliant code
defmodule MyApp.Accounts do
def get_user_email(conn) do
session = Plug.Conn.get_session(conn, :user)
if session == "auto", do: "[email protected]", else: session.email
end
end
In the insecure code example, the get_user_email function checks the session to find the user's email. However, there is debug code left in that allows anyone to pass in a session with the word 'auto' and get access to a testing email. This is insecure as it allows unauthorized access.
Steps
- Remove the debugging code from the production environment
- Ensure all test code is isolated from production code
Compliant code
defmodule MyApp.Accounts do
def get_user_email(conn) do
session = Plug.Conn.get_session(conn, :user)
session.email
end
end
In the secure code example, the get_user_email function only checks the session for the user's email, and there is no debug code that can be exploited for unauthorized access.