idi527
Phoenix.Token "forever valid" warning - why is a max age recommended?
I’ve noticed this warning
https://github.com/phoenixframework/phoenix/blob/v1.3/lib/phoenix/token.ex#L225-L231
in phoenix, and wondered what kind of vulnerability would storing a “forever valid” session id have. In other words, is this warning only for the users who store some extra data in the token (besides the session id) which can go stale?
Marked As Solved
voltone
I believe the purpose of this warning is to encourage people to explicitly opt-in to non-expiring tokens by setting max_age to :infinity. The future default will ‘err on the side of caution’, which is a good security practice.
One use-case for non-expiring tokens is to simplify development/testing. In a production environment, non-expiring tokens should only really be used if the token can be revoked, e.g. on sign-out or when the user changes password. This can be achieved by encoding in the token a timestamp or sequence number that is also stored in the User DB record, and updating the DB on sign-out or password change, rendering old tokens invalid.
Without revocation, every sign-in would issue yet another valid token, and the user would have no control over who might abuse such old tokens. A token might be left behind on a public computer, or yet-to-be-discovered weaknesses in crypto protocols might allow an attacker to extract a token from an old packet capture. There would be nothing the user could do, and the site admin could only change the secret key, invalidating all tokens at once.
Also Liked
jordiee
Besically the idea of it is if someone gets their hands on a token without an expire that does not belong to them they will forever have access with that token. With an expire time that is not the case. Depending what you are using Phoenix token for it could be perfectly fine that way though.
voltone
If your use-case and threat model allow never-expiring tokens, you can opt-in by passing :infinity. That will eliminate the warning. The upcoming change and the warning are about making this opt-in rather than opt-out, to avoid mistakes due to someone missing a warning in the docs.
voltone
There are other, perhaps more likely, examples where the protection of TLS might be less than perfect. For example, in the past CAs have been compromised and fake certificates issued to intercept communications. This might only affect users in a certain country or using a certain ISP.
The point is, relying on tokens that can never ever be revoked is a risk, no matter how hard you try to protect them. Giving users an option to revoke their own tokens using the DB-backed mechanism I described might be wise, to add another layer of protection.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








