[erlang-questions] secure use of cookies in an erlang application

Max Lapshin <>
Tue May 15 21:44:52 CEST 2012


Ruby on Rails implements a wonderful idea:

you pack your session as a JSON:  {user_id : 15, ip : "23.45.67.89",
expire_at : 1234567780},
then you take base64 from it,
then you concat base64 with secret key and take sha1 from it.

Cookie = base64(Session) ++ "--" ++ sha1(base64(Session) ++ SecretKey)

later on each request you validate that session is signed properly,
check IP address, timeout and use your really stateless session.



More information about the erlang-questions mailing list