[erlang-questions] secure use of cookies in an erlang application

Adam Rutkowski <>
Tue May 15 20:19:50 CEST 2012


On May 15, 2012, at 8:03 PM, Wes James wrote:

> I'm using cowboy for an application and I'm setting a simple cookie with an expire to log users out after a certain time.  Using a simple cookie seams like it is not secure, though.  As someone could read the code and set the cookie in their browser and then get access to the site, right?  Are there any examples of securely using cookies in cowboy or some other erlang app/framework that shows how cookies are used?  I guess some random time based cookie might work better.

One simple approach is to make an expiring process that generates a random binary per user session. Use its value to encyrpt the cookie, encode it somehow so it's browser/cowboy-friendly (I remember I had some trouble using base64 with cowboy cookie module, which led me to a hexstring eventually), then verify it using the onrequest hook.
Whatever you choose to do, pass it through SSL and use secure cookies (https://github.com/essen/cowboy/blob/master/src/cowboy_cookies.erl#L28).

Hope that helps.
--
AR












More information about the erlang-questions mailing list