Insecurely generated cookies - SameSite - Elixir

Need

To protect cookies from being sent along with cross-site requests

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Cowboy for building web applications in Elixir
3. Usage of secure cookie handling

Description

Insecure Code Example

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, a cookie is being set without the SameSite attribute, making it susceptible to being sent along with cross-site requests.

Steps

1. Set the SameSite attribute to 'Strict' or 'Lax' while setting the cookies.
2. Do not store sensitive information in cookies if possible.

Secure Code Example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value", same_site: "Strict")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the cookie is set with the SameSite attribute set to 'Strict', protecting it from being sent along with cross-site requests.

References

Last updated

2023/09/18