[erlang-questions] secure use of cookies in an erlang application

Fred Hebert mononcqc@REDACTED
Wed May 16 02:21:21 CEST 2012

CSRF and Javascript cookies are unrelated.

I could build a CSRF attack using an img tag or submitting a form, and 
never touching it with Javascript. The only way to truly protect against 
CSRF is to use session tokens (referrer checking doesn't work if you 
expect requests from flash and/or SSL).

Store the session token in the form for any request that can change data 
and match it with the cookie. If either the cookie or token do not 
match, reject the request. The token should be protected thanks to the 
Same-Origin Policy implemented by browsers.

As far as I know, making the cookie http only has no impact on this, but 
is rather protection when it comes to XSS accessing cookie data, not CSRF.

On 12-05-15 2:26 PM, Bob Ippolito wrote:
> You should also make sure to only use https for cookies [1] and to 
> make them invisible to JavaScript [2]. This of course makes it a bit 
> more complicated because you'll need a SSL certificate, but that's 
> basically necessary for session security.
> cowboy_cookies:cookie(
>                  ?COOKIENAME,
>                  SessionId,
>                  [{http_only, true},
>                   {secure, true}]).
> [1] HTTP makes it too easy for an observer to steal your session. 
> {secure, true} forces the cookie to only be visible on HTTPS.
> [2] JavaScript accessible cookies can be stolen via CSRF attacks 
> (given some other constraints, but it's better to be safe). {secure, 
> true} makes the cookie show up as an empty string from JavaScript.
> On Tue, May 15, 2012 at 12:13 PM, Wes James <comptekki@REDACTED 
> <mailto:comptekki@REDACTED>> wrote:
>     Ok - thanks for the quick response!
>     Wes
>     On Tue, May 15, 2012 at 12:10 PM, Loïc Hoguin <essen@REDACTED
>     <mailto:essen@REDACTED>> wrote:
>         On login, make the server generate an UUID, associate that
>         UUID with the logged in user, and set it as the cookie you
>         will use to identify the user. Then just compare that cookie
>         with your list of logged in users to find who it is.
>         It should already be a good start.
>         On 05/15/2012 08:03 PM, Wes James wrote:
>             I'm using cowboy for an application and I'm setting a
>             simple cookie with
>             an expire to log users out after a certain time.  Using a
>             simple cookie
>             seams like it is not secure, though.  As someone could
>             read the code and
>             set the cookie in their browser and then get access to the
>             site, right?
>              Are there any examples of securely using cookies in
>             cowboy or some
>             other erlang app/framework that shows how cookies are
>             used?  I guess
>             some random time based cookie might work better.
>             Thanks,
>             Wes
>             _______________________________________________
>             erlang-questions mailing list
>             erlang-questions@REDACTED
>             <mailto:erlang-questions@REDACTED>
>             http://erlang.org/mailman/listinfo/erlang-questions
>         -- 
>         Lod(c Hoguin
>         Erlang Cowboy
>         Nine Nines
>     _______________________________________________
>     erlang-questions mailing list
>     erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
>     http://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120515/88828794/attachment.htm>

More information about the erlang-questions mailing list