Insecurely generated cookies - SameSite
Need
To protect cookies from being sent along with cross-site requests
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications in Elixir
- Usage of secure cookie handling
Description
Non compliant code
defmodule Vulnerable do
use Plug.Router
plug :match
plug :dispatch
post "" do
conn
|> put_resp_cookie("sensitive_info", "some_value")
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, a cookie is being set without the SameSite attribute, making it susceptible to being sent along with cross-site requests.
Steps
- Set the SameSite attribute to 'Strict' or 'Lax' while setting the cookies.
- Do not store sensitive information in cookies if possible.
Compliant code
defmodule Secure do
use Plug.Router
plug :match
plug :dispatch
post "" do
conn
|> put_resp_cookie("sensitive_info", "some_value", same_site: "Strict")
|> send_resp(200, "OK")
end
match _ do
send_resp(conn, 404, "Not found")
end
end
In this Elixir code snippet, the cookie is set with the SameSite attribute set to 'Strict', protecting it from being sent along with cross-site requests.