logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecurely generated cookies - Secure - Elixir

Need

To protect sensitive cookies from being sent over insecure channels

Context

  1. Usage of Elixir for building scalable and fault-tolerant applications
  2. Usage of Plug Cowboy for building web applications in Elixir
  3. Usage of secure cookie handling for session management

Description

Insecure Code Example

defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, a cookie is being set without the Secure attribute, making it susceptible to being sent over insecure channels.

Steps

  1. Set the Secure attribute while setting the cookies.
  2. Only send cookies over HTTPS.

Secure Code Example

defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value", secure: true)
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the cookie is set with the Secure attribute, ensuring it will only be sent over secure channels.

References

  • 130 - Insecurely generated cookies - Secure

    • Last updated

    2023/09/18