Insecurely generated cookies - HttpOnly - Elixir

Need

To protect cookies from being accessed by client-side scripts

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Cowboy for building web applications in Elixir
3. Usage of secure cookie handling for session management

Description

Insecure Code Example

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, a cookie is being set without the HttpOnly attribute, making it susceptible to being read by client-side scripts.

Steps

1. Set the HttpOnly attribute to true while setting the cookies.
2. Do not store sensitive information in cookies if possible.

Secure Code Example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value", http_only: true)
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the cookie is set with the HttpOnly attribute set to true, protecting it from being read by client-side scripts.

References

Last updated

2023/09/18