Need

Securely generate cookies with the HttpOnly attribute

Context

• Usage of Ruby for building dynamic and object-oriented applications
• Usage of ActionController for handling actions and requests in a Ruby on Rails application

Description

Non compliant code

        # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  def set_cookie
    cookies[:user_id] = @current_user.id
  end
end
        
        

In the above code, a cookie is being set for the user_id in the ApplicationController. The cookie is storing the current user's id. However, the HttpOnly attribute is not being set for the cookie.

The HttpOnly attribute is a security measure that helps mitigate the risk of cross-site scripting (XSS) attacks. It does this by preventing the cookie from being accessed by client-side scripts. This means that even if an XSS vulnerability exists in the application, the HttpOnly attribute can help prevent the user's cookie from being accessed and used for malicious purposes.

When the HttpOnly attribute is not set, it leaves the cookie vulnerable to being accessed by client-side scripts. This can potentially expose sensitive information, such as the user's session identifiers, to an attacker.

In the context of a Ruby on Rails application, the HttpOnly attribute can be set when creating a cookie by passing :httponly => true as an option. The absence of this attribute in the provided code is what makes it vulnerable.

Steps

• Set the HttpOnly attribute when generating cookies.
• Modify the 'set_cookie' method in the ApplicationController to include the HttpOnly attribute.
• Ensure that the HttpOnly attribute is set to true when generating cookies.
• Test the application to verify that the cookies are now generated with the HttpOnly attribute.

Compliant code

        # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  def set_cookie
    cookies[:user_id] = { value: @current_user.id, httponly: true }
  end
end
        
        

The previous code was setting a cookie without the HttpOnly attribute, which could potentially allow client-side scripts to access the cookie. This is a security risk as it could lead to cross-site scripting (XSS) attacks.

The updated code sets the HttpOnly attribute to true when generating the cookie. This means that the cookie is not accessible via client-side scripts, which significantly reduces the risk of XSS attacks.

The cookies[:user_id] is now a hash that includes the value and httponly keys. The value key is set to @current_user.id (the user's ID), and the httponly key is set to true.

This change ensures that the application's cookies are generated securely, enhancing the overall security of the application.

References

• 128. Insecurely generated cookies - HttpOnly