[erlang-questions] secure use of cookies in an erlang application

Bob Ippolito <>
Wed May 16 02:39:10 CEST 2012


You're right, I meant XSS but typed CSRF. Thanks :)

On Tuesday, May 15, 2012, Fred Hebert wrote:

>  CSRF and Javascript cookies are unrelated.
>
> I could build a CSRF attack using an img tag or submitting a form, and
> never touching it with Javascript. The only way to truly protect against
> CSRF is to use session tokens (referrer checking doesn't work if you expect
> requests from flash and/or SSL).
>
> Store the session token in the form for any request that can change data
> and match it with the cookie. If either the cookie or token do not match,
> reject the request. The token should be protected thanks to the Same-Origin
> Policy implemented by browsers.
>
> As far as I know, making the cookie http only has no impact on this, but
> is rather protection when it comes to XSS accessing cookie data, not CSRF.
>
> On 12-05-15 2:26 PM, Bob Ippolito wrote:
>
> You should also make sure to only use https for cookies [1] and to make
> them invisible to JavaScript [2]. This of course makes it a bit more
> complicated because you'll need a SSL certificate, but that's basically
> necessary for session security.
>
>  cowboy_cookies:cookie(
>                  ?COOKIENAME,
>                  SessionId,
>                  [{http_only, true},
>                   {secure, true}]).
>
>  [1] HTTP makes it too easy for an observer to steal your session.
> {secure, true} forces the cookie to only be visible on HTTPS.
> [2] JavaScript accessible cookies can be stolen via CSRF attacks (given
> some other constraints, but it's better to be safe). {secure, true} makes
> the cookie show up as an empty string from JavaScript.
>
>  On Tue, May 15, 2012 at 12:13 PM, Wes James <> wrote:
>
> Ok - thanks for the quick response!
>
>  Wes
>
>  On Tue, May 15, 2012 at 12:10 PM, Loïc Hoguin <> wrote:
>
> On login, make the server generate an UUID, associate that UUID with the
> logged in user, and set it as the cookie you will use to identify the user.
> Then just compare that cookie with your list of logged in users to find who
> it is.
>
> It should already be a good start.
>
>
> On 05/15/2012 08:03 PM, Wes James wrote:
>
>  I'm using cowboy for an application and I'm setting a simple cookie with
> an expire to log users out after a certain time.  Using a simple cookie
> seams like it is not secure, though.  As someone could read the code and
> set the cookie in their browser and then get access to the site, right?
>  Are there any examples of securely using cookies in cowboy or some
> other erlang app/framework that shows how cookies are used?  I guess
> some random time based cookie might work better.
>
> Thanks,
>
> Wes
>
>
>  _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> --
> Loďc Hoguin
> Erlang Cowboy
> Nine Nines
>
>
>
> ____________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120516/1d6bca74/attachment.html>


More information about the erlang-questions mailing list