Insecurely generated cookies

Insecurely generated cookies - Secure

Need

To protect sensitive cookies from being sent over insecure channels

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of secure cookie handling for session management

Description

1. Non compliant code

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    |> put_resp_cookie("sensitive_info", "some_value")...

In this Elixir code snippet, a cookie is being set without the Secure attribute, making it susceptible to being sent over insecure channels.

2. Steps

• Set the Secure attribute while setting the cookies.

• Only send cookies over HTTPS.

3. Secure code example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    |> put_resp_cookie("sensitive_info", "some_value", secure: true)...

In this Elixir code snippet, the cookie is set with the Secure attribute, ensuring it will only be sent over secure channels.

References

• 130. Insecurely generated cookies - Secure

On this page