Need

Create secure, unpredictable session tokens to prevent reuse

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
• Usage of Phoenix.Token for token generation and verification

Description

Non compliant code

        defmodule InsecureToken do
  def generate_token(user_id) do
    user_id
    |> Integer.to_string
    |> String.reverse
  end
end
        
        

The generate_token function is insecure because it simply reverses the user_id and uses it as a token. This approach is predictable and can easily be reverse-engineered, which could allow an attacker to reuse a session token after 14 days.

Steps

• Install the Phoenix.Token package if it's not already installed.
• Use `Phoenix.Token.sign/3` to generate a secure token, providing the user_id as the salt.
• Use `Phoenix.Token.verify/4` to verify tokens before use.

Compliant code

        defmodule SecureToken do
  @secret_key_base "s3cr3t"

  def generate_token(user_id) do
    Phoenix.Token.sign(@secret_key_base, "user salt", user_id)
  end

  def verify_token(token, user_id) do
    Phoenix.Token.verify(@secret_key_base, "user salt", token, max_age: 14 * 24 * 60 * 60)
  end
end
        
        

The generate_token function now uses Phoenix.Token.sign/3 to generate a secure token, and verify_token uses Phoenix.Token.verify/4 to verify the token's integrity and timeliness. The token is cryptographically secure and unpredictable, and it cannot be reused after 14 days.

References

• 078. Insecurely generated token