idi527

idi527

Phoenix.Token "forever valid" warning - why is a max age recommended?

I’ve noticed this warning

https://github.com/phoenixframework/phoenix/blob/v1.3/lib/phoenix/token.ex#L225-L231

in phoenix, and wondered what kind of vulnerability would storing a “forever valid” session id have. In other words, is this warning only for the users who store some extra data in the token (besides the session id) which can go stale?

https://github.com/phoenixframework/phoenix/issues/2868

Marked As Solved

voltone

voltone

I believe the purpose of this warning is to encourage people to explicitly opt-in to non-expiring tokens by setting max_age to :infinity. The future default will ‘err on the side of caution’, which is a good security practice.

One use-case for non-expiring tokens is to simplify development/testing. In a production environment, non-expiring tokens should only really be used if the token can be revoked, e.g. on sign-out or when the user changes password. This can be achieved by encoding in the token a timestamp or sequence number that is also stored in the User DB record, and updating the DB on sign-out or password change, rendering old tokens invalid.

Without revocation, every sign-in would issue yet another valid token, and the user would have no control over who might abuse such old tokens. A token might be left behind on a public computer, or yet-to-be-discovered weaknesses in crypto protocols might allow an attacker to extract a token from an old packet capture. There would be nothing the user could do, and the site admin could only change the secret key, invalidating all tokens at once.

Also Liked

jordiee

jordiee

Besically the idea of it is if someone gets their hands on a token without an expire that does not belong to them they will forever have access with that token. With an expire time that is not the case. Depending what you are using Phoenix token for it could be perfectly fine that way though.

voltone

voltone

If your use-case and threat model allow never-expiring tokens, you can opt-in by passing :infinity. That will eliminate the warning. The upcoming change and the warning are about making this opt-in rather than opt-out, to avoid mistakes due to someone missing a warning in the docs.

voltone

voltone

There are other, perhaps more likely, examples where the protection of TLS might be less than perfect. For example, in the past CAs have been compromised and fake certificates issued to intercept communications. This might only affect users in a certain country or using a certain ISP.

The point is, relying on tokens that can never ever be revoked is a risk, no matter how hard you try to protect them. Giving users an option to revoke their own tokens using the DB-backed mechanism I described might be wise, to add another layer of protection.

Where Next?

Popular in Questions Top

siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement