Add an example of a session cookie #465

Closed
wants to merge 1 commit into
from

4 participants

@acammack

No description provided.

@rambocoder rambocoder commented on the diff Mar 13, 2013
examples/session_cookie/src/session_cookie_util.erl
+ false -> Default;
+ {_, Val} -> Val
+ end.
+
+set_key(Key, Val, Session) ->
+ [{Key, Val} | lists:keydelete(Key, 1, Session)].
+
+generate_cookie(Session) ->
+ Expires = base64:encode(<< (expires(os:timestamp(), timeout())):64 >>),
+ SessionPack = [Expires, base64:encode(term_to_binary(Session))],
+ SignedSession = [signature(SessionPack), SessionPack],
+ cowboy_http:cookie_to_iodata(<<"mycowboysession">>, SignedSession,
+ [{max_age, timeout()}, {http_only, true}]).
+
+parse_cookie(<< Sig:44/binary, Expires:12/binary, Data/binary >>) ->
+ Sig = signature([Expires, Data]),
@rambocoder
rambocoder added a line comment Mar 13, 2013

Does this comparison need to be done in constant time to prevent timing attack? I am no security expert but is this commit an appropriate approach spawngrid/cowboy_session@515c17c

@acammack
acammack added a line comment Mar 14, 2013

This could be vulnerable to timing attacks, but my (rudimentary) benchmarking shows that while matching identical binaries is faster, the difference between binaries with different lengths of common prefixes is in the 1-5 nanosecond range. Most of that ends up getting smothered with the catch. It doubt the commit you linked is vulnerable to such an attack, but I need to do more testing and reading to really tell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@essen
Nine Nines member

I have no idea what this example is for. This is Erlang, you don't need to store everything in cookies, you can just start a process for handling the session and tie the pid to an uuid stored in a cookie.

@rambocoder

It could be a decent example of handling cookies?

@essen
Nine Nines member

We already have a cookie example. We don't have a session example though, however this kind of session I really don't recommend. This doesn't work if you run both a web and a mobile application for example. It doesn't work well with Websocket either, as you can only set cookies when establishing the connection, or using some special JS to set the cookie sent over Websocket. There's many issues with this approach, this isn't really something we want to have in the examples.

@dvv
@essen
Nine Nines member

Closing this for the reasons mentioned above. Thanks anyway!

@essen essen closed this Apr 11, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment