Weak cookie configuration¶
ID: rb/weak-cookie-configurationKind: problemSecurity severity: 7.8Severity: warningPrecision: highTags: - external/cwe/cwe-732 - external/cwe/cwe-1275 - securityQuery suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies can be used for security measures, such as authenticating a user based on cookies sent with a request. Misconfiguration of cookie settings in a web application can expose users to attacks that compromise these security measures.
Recommendation¶
Modern web frameworks typically have good default configuration for cookie settings. If an application overrides these settings, then take care to ensure that these changes are necessary and that they don’t weaken the cookie configuration.
Example¶
In the first example, the value ofconfig.action_dispatch.cookies_same_site_protection is set to:none. This has the effect of setting the defaultSameSite attribute sent by the server when setting a cookie toNone rather than the default ofLax. This may make the application more vulnerable to cross-site request forgery attacks.
In the second example, this option is instead set to:strict. This is a stronger restriction than the default of:lax, and doesn’t compromise on cookie security.
moduleAppclassApplication<Rails::Application# Sets default `Set-Cookie` `SameSite` attribute to `None`config.action_dispatch.cookies_same_site_protection=:none# Sets default `Set-Cookie` `SameSite` attribute to `Strict`config.action_dispatch.cookies_same_site_protection=:strictendend
References¶
OWASP:SameSite.
Rails:Configuring Action Dispatch.
Common Weakness Enumeration:CWE-732.
Common Weakness Enumeration:CWE-1275.