Insecurely Generated Cookies

Need

Prevent cookie exposure over insecure channels or to unauthorized users.

Context

Usage of Elixir (v1.11+) for building scalable and concurrent applications
Usage of Plug library for handling HTTP requests

Description

Non compliant code

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value")
end

This Elixir function sets a 'session' cookie without secure flags. Without the secure flag, the cookie could be sent over an insecure HTTP connection. Without the HttpOnly flag, the cookie could be accessed by client-side scripts.

Steps

Add the :secure and :http_only options when setting the cookie.
Test the application to ensure the cookies are being set correctly and that the application still functions as expected.

Compliant code

def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value", secure: true, http_only: true)
end

This Elixir function sets a 'session' cookie with the secure and HttpOnly flags. The secure flag ensures the cookie is only sent over HTTPS. The HttpOnly flag prevents the cookie from being accessed by client-side scripts.

References

042.Insecurely generated cookies

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​