Need

Ensure security after password change

Context

• Usage of Elixir 1.12 for functional programming
• Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

        defmodule MyApp.Accounts do
  def change_password(user, new_password) do
    user
    |> change()
    |> put_change(:password, new_password)
    |> Repo.update()
  end
end
        
        

The code demonstrates a password change functionality which does not invalidate the session after the password change. If an attacker had compromised this session, they would maintain control even after the legitimate user has changed their password.

Steps

• Ensure that the session is invalidated or renewed after the password change
• This could involve destroying the current session and forcing the user to log in again with their new password

Compliant code

        defmodule MyApp.Accounts do
  def change_password(conn, user, new_password) do
    user
    |> change()
    |> put_change(:password, new_password)
    |> Repo.update()
    |> case do
         {:ok, _user} ->
           MyAppWeb.SessionController.clear_session(conn)
         _ ->
           conn
       end
  end
end
        
        

The code now includes a function call to clear the session after the password change. This forces any user, legitimate or attacker, to re-authenticate after the password change, effectively locking out any attacker that had compromised the previous session.

References

• 295. Insecure session management - Change Password