Need

Prevent unauthorized access to user sessions.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Phoenix framework for web request handling
• Usage of Guardian for JWT session management

Description

Non compliant code

        defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    jwt = MyApp.SessionContext.create_jwt(user_params)
    redirect(conn, to: "/welcome?jwt=#{jwt}")
  end
end
        
        

This Elixir/Phoenix code does not handle JWT session tokens securely. It sends the JWT as a URL parameter which can be cached by the browser or logged in server logs. This exposes the token to potential theft.

Steps

• Don't send sensitive information such as JWTs in the URL.
• Instead, use secure mechanisms such as HTTP headers or cookies.

Compliant code

        defmodule MyApp.SessionController do
  use MyApp, :controller

  def create(conn, %{"user" => user_params}) do
    jwt = MyApp.SessionContext.create_jwt(user_params)
    conn = put_resp_header(conn, "authorization", "Bearer #{jwt}")
    redirect(conn, to: "/welcome")
  end
end
        
        

This secure Elixir/Phoenix code example sends the JWT as an HTTP header. This prevents it from being exposed in the URL or cached by the browser.

References

• 276. Sensitive information sent via URL parameters - Session