Insecurely Generated Cookies - Elixir

Insecurely Generated Cookies - Elixir

Need

Prevent cookie exposure over insecure channels or to unauthorized users.

Context

  • Usage of Elixir (v1.11+) for building scalable and concurrent applications
  • Usage of Plug library for handling HTTP requests

Description

Non compliant code

        def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value")
end
        
        

This Elixir function sets a 'session' cookie without secure flags. Without the secure flag, the cookie could be sent over an insecure HTTP connection. Without the HttpOnly flag, the cookie could be accessed by client-side scripts.

Steps

  • Add the :secure and :http_only options when setting the cookie.
  • Test the application to ensure the cookies are being set correctly and that the application still functions as expected.

Compliant code

        def set_cookie(conn) do
  conn
  |> put_resp_cookie("session", "session_value", secure: true, http_only: true)
end
        
        

This Elixir function sets a 'session' cookie with the secure and HttpOnly flags. The secure flag ensures the cookie is only sent over HTTPS. The HttpOnly flag prevents the cookie from being accessed by client-side scripts.

References