<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
CSRF and Javascript cookies are unrelated.<br>
<br>
I could build a CSRF attack using an img tag or submitting a form,
and never touching it with Javascript. The only way to truly protect
against CSRF is to use session tokens (referrer checking doesn't
work if you expect requests from flash and/or SSL).<br>
<br>
Store the session token in the form for any request that can change
data and match it with the cookie. If either the cookie or token do
not match, reject the request. The token should be protected thanks
to the Same-Origin Policy implemented by browsers.<br>
<br>
As far as I know, making the cookie http only has no impact on this,
but is rather protection when it comes to XSS accessing cookie data,
not CSRF.<br>
<br>
On 12-05-15 2:26 PM, Bob Ippolito wrote:
<blockquote
cite="mid:CACwMPm-WZGOkm3U_egT=PK4HCe6BeatZoCS-tfp8JW5mhk_emA@mail.gmail.com"
type="cite">You should also make sure to only use https for
cookies [1] and to make them invisible to JavaScript [2]. This of
course makes it a bit more complicated because you'll need a SSL
certificate, but that's basically necessary for session security.
<div>
<div><br>
</div>
<div>
<div>cowboy_cookies:cookie(</div>
<div> ?COOKIENAME,</div>
<div> SessionId,</div>
<div> [{http_only, true},</div>
<div> {secure, true}]).</div>
<div><br>
</div>
<div>[1] HTTP makes it too easy for an observer to steal your
session. {secure, true} forces the cookie to only be visible
on HTTPS.</div>
<div>[2] JavaScript accessible cookies can be stolen via CSRF
attacks (given some other constraints, but it's better to be
safe). {secure, true} makes the cookie show up as an empty
string from JavaScript.</div>
<div><br>
</div>
<div class="gmail_quote">On Tue, May 15, 2012 at 12:13 PM, Wes
James <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Ok - thanks for the quick response!
<div><br>
</div>
<div>Wes</div>
<br>
<div class="gmail_quote">
<div class="im">On Tue, May 15, 2012 at 12:10 PM, Loïc
Hoguin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On login, make the server generate an
UUID, associate that UUID with the logged in user,
and set it as the cookie you will use to identify
the user. Then just compare that cookie with your
list of logged in users to find who it is.<br>
<br>
It should already be a good start.
<div>
<div><br>
<br>
On 05/15/2012 08:03 PM, Wes James wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
I'm using cowboy for an application and I'm
setting a simple cookie with<br>
an expire to log users out after a certain
time. Using a simple cookie<br>
seams like it is not secure, though. As
someone could read the code and<br>
set the cookie in their browser and then get
access to the site, right?<br>
Are there any examples of securely using
cookies in cowboy or some<br>
other erlang app/framework that shows how
cookies are used? I guess<br>
some random time based cookie might work
better.<br>
<br>
Thanks,<br>
<br>
Wes<br>
<br>
<br>
</div>
</div>
_______________________________________________<br>
erlang-questions mailing list<br>
<a moz-do-not-send="true"
href="mailto:erlang-questions@erlang.org"
target="_blank">erlang-questions@erlang.org</a><br>
<a moz-do-not-send="true"
href="http://erlang.org/mailman/listinfo/erlang-questions"
target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><span><font
color="#888888"><br>
</font></span></blockquote>
</div>
<span><font color="#888888">
<br>
<span class="HOEnZb"><font color="#888888">
<br>
-- <br>
Loďc Hoguin<br>
Erlang Cowboy<br>
Nine Nines<br>
</font></span></font></span></blockquote>
</div>
<br>
<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a moz-do-not-send="true"
href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a moz-do-not-send="true"
href="http://erlang.org/mailman/listinfo/erlang-questions"
target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
erlang-questions mailing list
<a class="moz-txt-link-abbreviated" href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a>
<a class="moz-txt-link-freetext" href="http://erlang.org/mailman/listinfo/erlang-questions">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
</blockquote>
</body>
</html>