Insecure session expiration time - Dart

Need

Enforce secure session expiration time

Context

Usage of Dart for building cross-platform mobile, web, and desktop applications
Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  var session = request.context['session'];

  // Set the session data
  session['username'] = 'user1';

  return shelf.Response.ok('Session Created');
}

In the above code snippet, we are using the shelf framework to handle HTTP requests in a Dart backend application. The function handleRequest is used to handle incoming requests.

We are setting the session data with a username value. However, there is no mechanism in place to expire the session after a certain period of inactivity. This means that the user's session will remain active indefinitely until the server is restarted or the session is manually destroyed.

This is a security vulnerability known as "Insecure Session Expiration". The risk here is that an attacker could potentially hijack an active session and impersonate the user. This could lead to unauthorized actions being performed under the user's identity.

To mitigate this vulnerability, we should implement a mechanism to automatically expire user sessions after a certain period of inactivity. In this case, the requirement is to expire the session after 5 minutes of inactivity.

Steps

Import a package that provides session management with expiration time, such as 'shelf_session'.
Create a session middleware with a specified timeout duration of 5 minutes.
Apply the session middleware to your Shelf pipeline.
In the 'handleRequest' function, retrieve the session from the request context.
Set the session data as you currently do, but now it will automatically expire after 5 minutes of inactivity.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_session/shelf_session.dart';

// Create a session middleware with a specified timeout duration of 5 minutes.
var sessionMiddleware = sessionMiddlewareBuilder(
  new InMemorySessionStore(),
  cookieName: 'session',
  sessionTimeout: new Duration(minutes: 5),
);

// Apply the session middleware to your Shelf pipeline.
var handler = const shelf.Pipeline()
    .addMiddleware(sessionMiddleware)
    .addHandler(handleRequest);

shelf.Response handleRequest(shelf.Request request) {
  // Retrieve the session from the request context.
  var session = request.context['session'];

  // Set the session data
  session['username'] = 'user1';

  return shelf.Response.ok('Session Created');
}

The updated code now includes the 'shelf_session' package, which provides session management with expiration time.

A session middleware is created with a specified timeout duration of 5 minutes. This middleware is then added to the Shelf pipeline using the addMiddleware function.

In the handleRequest function, the session is retrieved from the request context. The session data is set as before, but now, due to the session middleware, the session will automatically expire after 5 minutes of inactivity.

This ensures that user sessions are secure and do not remain active indefinitely, reducing the risk of unauthorized access.

References

068. Insecure session expiration time