You're right, I meant XSS but typed CSRF. Thanks :)<span></span><div><br>On Tuesday, May 15, 2012, Fred Hebert wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
CSRF and Javascript cookies are unrelated.<br>
<br>
I could build a CSRF attack using an img tag or submitting a form,
and never touching it with Javascript. The only way to truly protect
against CSRF is to use session tokens (referrer checking doesn't
work if you expect requests from flash and/or SSL).<br>
<br>
Store the session token in the form for any request that can change
data and match it with the cookie. If either the cookie or token do
not match, reject the request. The token should be protected thanks
to the Same-Origin Policy implemented by browsers.<br>
<br>
As far as I know, making the cookie http only has no impact on this,
but is rather protection when it comes to XSS accessing cookie data,
not CSRF.<br>
<br>
On 12-05-15 2:26 PM, Bob Ippolito wrote:
<blockquote type="cite">You should also make sure to only use https for
cookies [1] and to make them invisible to JavaScript [2]. This of
course makes it a bit more complicated because you'll need a SSL
certificate, but that's basically necessary for session security.
<div>
<div><br>
</div>
<div>
<div>cowboy_cookies:cookie(</div>
<div> ?COOKIENAME,</div>
<div> SessionId,</div>
<div> [{http_only, true},</div>
<div> {secure, true}]).</div>
<div><br>
</div>
<div>[1] HTTP makes it too easy for an observer to steal your
session. {secure, true} forces the cookie to only be visible
on HTTPS.</div>
<div>[2] JavaScript accessible cookies can be stolen via CSRF
attacks (given some other constraints, but it's better to be
safe). {secure, true} makes the cookie show up as an empty
string from JavaScript.</div>
<div><br>
</div>
<div>On Tue, May 15, 2012 at 12:13 PM, Wes
James <span dir="ltr"><<a>comptekki@gmail.com</a>></span>
wrote:<br>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ok - thanks for the quick response!
<div><br>
</div>
<div>Wes</div>
<br>
<div>
<div>On Tue, May 15, 2012 at 12:10 PM, Loïc
Hoguin <span dir="ltr"><<a>essen@ninenines.eu</a>></span>
wrote:<br>
</div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On login, make the server generate an
UUID, associate that UUID with the logged in user,
and set it as the cookie you will use to identify
the user. Then just compare that cookie with your
list of logged in users to find who it is.<br>
<br>
It should already be a good start.
<div>
<div><br>
<br>
On 05/15/2012 08:03 PM, Wes James wrote:<br>
</div>
</div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
I'm using cowboy for an application and I'm
setting a simple cookie with<br>
an expire to log users out after a certain
time. Using a simple cookie<br>
seams like it is not secure, though. As
someone could read the code and<br>
set the cookie in their browser and then get
access to the site, right?<br>
Are there any examples of securely using
cookies in cowboy or some<br>
other erlang app/framework that shows how
cookies are used? I guess<br>
some random time based cookie might work
better.<br>
<br>
Thanks,<br>
<br>
Wes<br>
<br>
<br>
</div>
</div>
_______________________________________________<br>
erlang-questions mailing list<br>
<a>erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><span><font color="#888888"><br>
</font></span></blockquote>
</div>
<span><font color="#888888">
<br>
<span><font color="#888888">
<br>
-- <br>
Loďc Hoguin<br>
Erlang Cowboy<br>
Nine Nines<br>
</font></span></font></span></blockquote>
</div>
<br>
<br>
____________</blockquote></div></div></div></blockquote></div>
</blockquote></div>