[erlang-questions] secure use of cookies in an erlang application

Matti Oinas <>
Wed May 16 05:56:44 CEST 2012


I would recommend reading the paper
http://www.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf

It is a good description about the method used by Rails and it also
presents couple not so good implementations of web authentication.


This stackoverflow post is great and contains links to good sources of
information including the one mentioned above.

http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication?answertab=votes#tab-top


On Tue, May 15, 2012 at 10:44 PM, Max Lapshin <> wrote:
> Ruby on Rails implements a wonderful idea:
>
> you pack your session as a JSON:  {user_id : 15, ip : "23.45.67.89",
> expire_at : 1234567780},
> then you take base64 from it,
> then you concat base64 with secret key and take sha1 from it.
>
> Cookie = base64(Session) ++ "--" ++ sha1(base64(Session) ++ SecretKey)
>
> later on each request you validate that session is signed properly,
> check IP address, timeout and use your really stateless session.
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list