Insecurely generated cookies - SameSite - Elixir

Insecurely generated cookies - SameSite - Elixir

Need

To protect cookies from being sent along with cross-site requests

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug Cowboy for building web applications in Elixir
  • Usage of secure cookie handling

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, a cookie is being set without the SameSite attribute, making it susceptible to being sent along with cross-site requests.

Steps

  • Set the SameSite attribute to 'Strict' or 'Lax' while setting the cookies.
  • Do not store sensitive information in cookies if possible.

Compliant code

        defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value", same_site: "Strict")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the cookie is set with the SameSite attribute set to 'Strict', protecting it from being sent along with cross-site requests.

References