Insecurely Generated Cookies
Need
Prevent cookie exposure over insecure channels or to unauthorized users.
Context
- Usage of Elixir (v1.11+) for building scalable and concurrent applications
- Usage of Plug library for handling HTTP requests
Description
Non compliant code
def set_cookie(conn) do
conn
|> put_resp_cookie("session", "session_value")
end
This Elixir function sets a 'session' cookie without secure flags. Without the secure flag, the cookie could be sent over an insecure HTTP connection. Without the HttpOnly flag, the cookie could be accessed by client-side scripts.
Steps
- Add the :secure and :http_only options when setting the cookie.
- Test the application to ensure the cookies are being set correctly and that the application still functions as expected.
Compliant code
def set_cookie(conn) do
conn
|> put_resp_cookie("session", "session_value", secure: true, http_only: true)
end
This Elixir function sets a 'session' cookie with the secure and HttpOnly flags. The secure flag ensures the cookie is only sent over HTTPS. The HttpOnly flag prevents the cookie from being accessed by client-side scripts.