You should also make sure to only use https for cookies [1] and to make them invisible to JavaScript [2]. This of course makes it a bit more complicated because you'll need a SSL certificate, but that's basically necessary for session security.<div>
<div><br></div><div><div>cowboy_cookies:cookie(</div><div> ?COOKIENAME,</div><div> SessionId,</div><div> [{http_only, true},</div><div> {secure, true}]).</div>
<div><br></div><div>[1] HTTP makes it too easy for an observer to steal your session. {secure, true} forces the cookie to only be visible on HTTPS.</div><div>[2] JavaScript accessible cookies can be stolen via CSRF attacks (given some other constraints, but it's better to be safe). {secure, true} makes the cookie show up as an empty string from JavaScript.</div>
<div><br></div><div class="gmail_quote">On Tue, May 15, 2012 at 12:13 PM, Wes James <span dir="ltr"><<a href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ok - thanks for the quick response!<div><br></div><div>Wes</div><br><div class="gmail_quote"><div class="im">On Tue, May 15, 2012 at 12:10 PM, Loïc Hoguin <span dir="ltr"><<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On login, make the server generate an UUID, associate that UUID with the logged in user, and set it as the cookie you will use to identify the user. Then just compare that cookie with your list of logged in users to find who it is.<br>
<br>
It should already be a good start.<div><div><br>
<br>
On 05/15/2012 08:03 PM, Wes James wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
I'm using cowboy for an application and I'm setting a simple cookie with<br>
an expire to log users out after a certain time. Using a simple cookie<br>
seams like it is not secure, though. As someone could read the code and<br>
set the cookie in their browser and then get access to the site, right?<br>
Are there any examples of securely using cookies in cowboy or some<br>
other erlang app/framework that shows how cookies are used? I guess<br>
some random time based cookie might work better.<br>
<br>
Thanks,<br>
<br>
Wes<br>
<br>
<br></div></div>
______________________________<u></u>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/<u></u>listinfo/erlang-questions</a><span><font color="#888888"><br>
</font></span></blockquote></div><span><font color="#888888">
<br><span class="HOEnZb"><font color="#888888">
<br>
-- <br>
Loďc Hoguin<br>
Erlang Cowboy<br>
Nine Nines<br>
</font></span></font></span></blockquote></div><br>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div>