Insecurely Generated Cookies

Need

Prevent cookie exposure over insecure channels or to unauthorized users.

Context

• Usage of Elixir (v1.11+) for building scalable and concurrent applications

• Usage of Plug library for handling HTTP requests

Description

1. Non compliant code

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value")
end

This Elixir function sets a 'session' cookie without secure flags. Without the secure flag, the cookie could be sent over an insecure HTTP connection. Without the HttpOnly flag, the cookie could be accessed by client-side scripts.

2. Steps

• Add the :secure and :http_only options when setting the cookie.

• Test the application to ensure the cookies are being set correctly and that the application still functions as expected.

3. Secure code example

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value", secure: true, http_only: true)
end

This Elixir function sets a 'session' cookie with the secure and HttpOnly flags. The secure flag ensures the cookie is only sent over HTTPS. The HttpOnly flag prevents the cookie from being accessed by client-side scripts.

References

• 042. Insecurely Generated Cookies

On this page