ericlathrop

ericlathrop

Accessing cookies in Phoenix.Socket connect

I’d like to send my authentication token as a HttpOnly cookie to add a layer of defense against XSS. The problem is that I don’t see a way to get the cookie in Phoenix.Socket’s connect/2. Has anyone figured out how to do this? Maybe there’s a way to write a plug to extract the cookie and assign it before Phoenix.Socket runs?

Most Liked

chrismccord

chrismccord

Creator of Phoenix

No, since this is an intentional design decision. WebSockets are not restrained by the same-origin policy, so using cookies could actually leave folks vulnerable to the xss you are wanting to avoid. We also don’t support them because channels are transport agnostic, and not all transports would support cookies. The recommended approach is to use Phoenix.Token to sign data into a token, then verify it on the server as a replacement for cookies. This works across any transport and client.

bjunc

bjunc

Apologies for the zombie thread, but I’m not sure I understand the rationale for not providing the option of reading cookies in the socket connect handshake.

It’s my understanding that a considerably safer method for storing and sending an auth token is via a HttpOnly cookie (provided you have CORS policies to prevent CSRF / CSWSH). With this, JS cannot access the tokens, and the browser does the storing / sending.

I understand the CSWSH concern due to lack of default CORS policy, but that sounds more like a strong warning to developers to check the origin, rather than just not supporting it at all.

On the flip side, we could pass a Phoenix.Token / JWT as a socket connection param, but the problem is that you have to get it to the socket constructor somehow. A <meta /> tag, localStorage, window.__INITIAL_STATE__, etc., are all easily accessible via JS (and therefore in a XSS attack).

So some clarification on this would be helpful.

josevalim

josevalim

Creator of Elixir

This article explains the issue: Cross-Site WebSocket Hijacking (CSWSH)

If website A opens up a websocket to website B, then the browser will send all cookies and authentication headers that belong to website B, even though the request was made from A.

This is orders of magnitude worse than CSRF. CSRF is a blind attack, you can trigger it but you can’t read the result. On the other hand, CSWSH gives the attacker full control of the socket, you can read from the socket, write to the socket, and perform any other operation available through the socket.

Note Phoenix does validate the Origin by default. Still I don’t think we should allow cookies to be read. Messing this up opens up a very big vulnerability and Phoenix is correct in making it double sure it can’t happen. All of the information you want to pass as a cookie can be passed in a safer way.

If your site is exposed to XSS, then it is game over anyway, because with XSS you can directly open up a websocket connection without relying on CSWSH. So you shouldn’t worry about storing those in meta or local storage since XSS allows you to cause much more damage than what the token is meant to prevent.

Where Next?

Popular in Questions Top

skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

We're in Beta

About us Mission Statement