Insecure session expiration time - Elixir

Insecure session expiration time - Elixir

Need

Prevent unauthorized access to user information and actions.

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug.Session for managing session data in Elixir applications
  • Usage of a server with indefinite session persistence

Description

Non compliant code

        defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end
        
        

This code uses the Plug.Session to manage sessions but does not set a timeout for session expiration. This means that sessions will remain active indefinitely, which can be exploited by an attacker.

Steps

  • Use the 'expires' option in the Plug.Session plug to set a timeout for session expiration.
  • Set the timeout to a reasonable value, such as 5 minutes.

Compliant code

        defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie, expires: 5 * 60

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Hello world!")
  end
end
        
        

This code correctly sets a timeout for session expiration using the 'expires' option in the Plug.Session plug. After 5 minutes of inactivity, sessions will expire and cannot be used again, preventing unauthorized access.

References