Skip to content

Commit

Permalink
Avoid fixation attacks by renewing session ID
Browse files Browse the repository at this point in the history
  • Loading branch information
peaceful-james committed Jul 2, 2024
1 parent 8825525 commit 6a28d2f
Showing 1 changed file with 24 additions and 3 deletions.
27 changes: 24 additions & 3 deletions templates/controllers/session.ex
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ defmodule <%= inspect @web_pascal_case %>.Session do
else
_error ->
conn
|> clear_session()
|> renew_session()
end
end

Expand All @@ -32,7 +32,7 @@ defmodule <%= inspect @web_pascal_case %>.Session do

{:error, _} ->
conn
|> clear_session()
|> renew_session()
|> put_flash(:error, "Please sign in.")
|> redirect(to: ~p"/sign-in")
end
Expand All @@ -44,8 +44,29 @@ defmodule <%= inspect @web_pascal_case %>.Session do
|> Identity.delete_all_user_sessions()

conn
|> clear_session()
|> renew_session()
|> put_flash(:info, "Successfully signed out.")
|> redirect(to: ~p"/")
end

# This function renews the session ID and erases the whole
# session to avoid fixation attacks. If there is any data
# in the session you may want to preserve after log in/log out,
# you must explicitly fetch the session data before clearing
# and then immediately set it after clearing, for example:
#
# defp renew_session(conn) do
# preferred_locale = get_session(conn, :preferred_locale)
#
# conn
# |> configure_session(renew: true)
# |> clear_session()
# |> put_session(:preferred_locale, preferred_locale)
# end
#
defp renew_session(conn) do
conn
|> configure_session(renew: true)
|> clear_session()
end
end

0 comments on commit 6a28d2f

Please sign in to comment.