[erlang-questions] secure use of cookies in an erlang application

Bob Ippolito <>
Tue May 15 20:26:32 CEST 2012


You should also make sure to only use https for cookies [1] and to make
them invisible to JavaScript [2]. This of course makes it a bit more
complicated because you'll need a SSL certificate, but that's basically
necessary for session security.

cowboy_cookies:cookie(
                 ?COOKIENAME,
                 SessionId,
                 [{http_only, true},
                  {secure, true}]).

[1] HTTP makes it too easy for an observer to steal your session. {secure,
true} forces the cookie to only be visible on HTTPS.
[2] JavaScript accessible cookies can be stolen via CSRF attacks (given
some other constraints, but it's better to be safe). {secure, true} makes
the cookie show up as an empty string from JavaScript.

On Tue, May 15, 2012 at 12:13 PM, Wes James <> wrote:

> Ok - thanks for the quick response!
>
> Wes
>
> On Tue, May 15, 2012 at 12:10 PM, Loïc Hoguin <> wrote:
>
>> On login, make the server generate an UUID, associate that UUID with the
>> logged in user, and set it as the cookie you will use to identify the user.
>> Then just compare that cookie with your list of logged in users to find who
>> it is.
>>
>> It should already be a good start.
>>
>>
>> On 05/15/2012 08:03 PM, Wes James wrote:
>>
>>> I'm using cowboy for an application and I'm setting a simple cookie with
>>> an expire to log users out after a certain time.  Using a simple cookie
>>> seams like it is not secure, though.  As someone could read the code and
>>> set the cookie in their browser and then get access to the site, right?
>>>  Are there any examples of securely using cookies in cowboy or some
>>> other erlang app/framework that shows how cookies are used?  I guess
>>> some random time based cookie might work better.
>>>
>>> Thanks,
>>>
>>> Wes
>>>
>>>
>>> ______________________________**_________________
>>> erlang-questions mailing list
>>> 
>>> http://erlang.org/mailman/**listinfo/erlang-questions<http://erlang.org/mailman/listinfo/erlang-questions>
>>>
>>
>>
>> --
>> Loďc Hoguin
>> Erlang Cowboy
>> Nine Nines
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120515/46f85604/attachment.html>


More information about the erlang-questions mailing list