ash-project ash_authentication_phoenix Insufficient Session Expiration Vulnerability Allowing Session Hijacking

A session hijacking vulnerability has been identified in the ash-project's ash_authentication_phoenix library, affecting versions through 2.9.0. The issue arises from insufficient session expiration, as session tokens remain valid on the server after a user logs out. This creates a security risk, allowing compromised tokens to be used even after logout, and preventing users from fully invalidating their sessions on shared or potentially compromised devices.

Impact

The vulnerability allows session tokens to remain valid after logout, creating a risk of session hijacking. Compromised tokens can be exploited until they naturally expire, and users cannot fully invalidate their sessions on shared or potentially compromised devices.

Remediation

Users should upgrade to ash_authentication_phoenix version 2.10.0 or later. After upgrading, it is necessary to update the AuthController implementation to use the new 'clear_session/2' function with the appropriate OTP app name. If the 'require_token_presence_for_authentication?' setting is not enabled, a separate error will occur. As an alternative, tokens can be manually revoked in the 'logout/2' handler of the auth controller.