Tue May 15 20:28:38 CEST 2012
On Tue, May 15, 2012 at 12:19 PM, Adam Rutkowski
> On May 15, 2012, at 8:03 PM, Wes James wrote:
> > I'm using cowboy for an application and I'm setting a simple cookie with
> an expire to log users out after a certain time. Using a simple cookie
> seams like it is not secure, though. As someone could read the code and
> set the cookie in their browser and then get access to the site, right?
> Are there any examples of securely using cookies in cowboy or some other
> erlang app/framework that shows how cookies are used? I guess some random
> time based cookie might work better.
> One simple approach is to make an expiring process that generates a random
> binary per user session. Use its value to encyrpt the cookie, encode it
> somehow so it's browser/cowboy-friendly (I remember I had some trouble
> using base64 with cowboy cookie module, which led me to a hexstring
> eventually), then verify it using the onrequest hook.
> Whatever you choose to do, pass it through SSL and use secure cookies (
The base64 codec uses some characters that aren't safe in URLs or cookies,
so you'll have to modify it slightly.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions