Insecurely generated cookies - Secure - Elixir

Insecurely generated cookies - Secure - Elixir

Need

To protect sensitive cookies from being sent over insecure channels

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of secure cookie handling for session management

Description

Non compliant code

        defmodule Vulnerable do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value")
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, a cookie is being set without the Secure attribute, making it susceptible to being sent over insecure channels.

Steps

Set the Secure attribute while setting the cookies.
Only send cookies over HTTPS.

Compliant code

        defmodule Secure do
  use Plug.Router

  plug :match
  plug :dispatch

  post "" do
    conn
    |> put_resp_cookie("sensitive_info", "some_value", secure: true)
    |> send_resp(200, "OK")
  end

  match _ do
    send_resp(conn, 404, "Not found")
  end
end

In this Elixir code snippet, the cookie is set with the Secure attribute, ensuring it will only be sent over secure channels.

References

130. Insecurely generated cookies - Secure