Insecurely Generated Cookies - Elixir

Need

Prevent cookie exposure over insecure channels or to unauthorized users.

Context

1. Usage of Elixir (v1.11+) for building scalable and concurrent applications
2. Usage of Plug library for handling HTTP requests

Description

Insecure Code Example

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value")
end

This Elixir function sets a 'session' cookie without secure flags. Without the secure flag, the cookie could be sent over an insecure HTTP connection. Without the HttpOnly flag, the cookie could be accessed by client-side scripts.

Steps

1. Add the :secure and :http_only options when setting the cookie.
2. Test the application to ensure the cookies are being set correctly and that the application still functions as expected.

Secure Code Example

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value", secure: true, http_only: true)
end

This Elixir function sets a 'session' cookie with the secure and HttpOnly flags. The secure flag ensures the cookie is only sent over HTTPS. The HttpOnly flag prevents the cookie from being accessed by client-side scripts.

References

Last updated

2023/09/18