Ensure security after password change
defmodule MyApp.Accounts do
def change_password(user, new_password) do
user
|> change()
|> put_change(:password, new_password)
|> Repo.update()
end
end
The code demonstrates a password change functionality which does not invalidate the session after the password change. If an attacker had compromised this session, they would maintain control even after the legitimate user has changed their password.
defmodule MyApp.Accounts do
def change_password(conn, user, new_password) do
user
|> change()
|> put_change(:password, new_password)
|> Repo.update()
|> case do
{:ok, _user} ->
MyAppWeb.SessionController.clear_session(conn)
_ ->
conn
end
end
end
The code now includes a function call to clear the session after the password change. This forces any user, legitimate or attacker, to re-authenticate after the password change, effectively locking out any attacker that had compromised the previous session.