Insecure session management - Elixir

Need

To prevent unauthorized access and potential misuse of session tokens.

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug.Session for HTTP session management
Usage of session token reuse in server even after user logout

Description

Non compliant code

        defmodule VulnerableApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code sets up a session using Plug.Session. However, when a user logs out, their session is not properly invalidated, leaving it vulnerable to misuse.

Steps

When a user logs out, their session should be invalidated to prevent further use of their session token.
This can be done using the Plug.Conn.delete_session/2 function, which removes the session data from the client.

Compliant code

        defmodule SecureApp do
  use Plug.Router

  plug Plug.Session, store: :cookie

  plug :match
  plug :dispatch

  get "/logout" do
    conn
    |> delete_session(:user)
    |> put_resp_content_type("text/plain")
    |> send_resp(200, "Logged out!")
  end
end

This code correctly invalidates the session when the user logs out, preventing further use of their session token.

References

076. Insecure session management