[erlang-questions] secure use of cookies in an erlang application

Bob Ippolito <>
Tue May 15 20:28:38 CEST 2012


On Tue, May 15, 2012 at 12:19 PM, Adam Rutkowski
<>wrote:

> On May 15, 2012, at 8:03 PM, Wes James wrote:
>
> > I'm using cowboy for an application and I'm setting a simple cookie with
> an expire to log users out after a certain time.  Using a simple cookie
> seams like it is not secure, though.  As someone could read the code and
> set the cookie in their browser and then get access to the site, right?
>  Are there any examples of securely using cookies in cowboy or some other
> erlang app/framework that shows how cookies are used?  I guess some random
> time based cookie might work better.
>
> One simple approach is to make an expiring process that generates a random
> binary per user session. Use its value to encyrpt the cookie, encode it
> somehow so it's browser/cowboy-friendly (I remember I had some trouble
> using base64 with cowboy cookie module, which led me to a hexstring
> eventually), then verify it using the onrequest hook.
> Whatever you choose to do, pass it through SSL and use secure cookies (
> https://github.com/essen/cowboy/blob/master/src/cowboy_cookies.erl#L28).
>

The base64 codec uses some characters that aren't safe in URLs or cookies,
so you'll have to modify it slightly.
http://en.wikipedia.org/wiki/Base64#URL_applications

-bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120515/d17d7cfc/attachment.html>


More information about the erlang-questions mailing list