[erlang-questions] secure use of cookies in an erlang application

[Wes James]

I'm using cowboy for an application and I'm setting a simple cookie with an expire to log users out after a certain time.  Using a simple cookie seams like it is not secure, though.  As someone could read the code and set the cookie in their browser and then get access to the site, right?  Are there any examples of securely using cookies in cowboy or some other erlang app/framework that shows how cookies are used?  I guess some random time based cookie might work better.

Thanks,

Wes

[Loïc Hoguin]

On login, make the server generate an UUID, associate that UUID with the
logged in user, and set it as the cookie you will use to identify the
user. Then just compare that cookie with your list of logged in users to
find who it is.

It should already be a good start.

> _______________________________________________
> erlang-questions mailing list
> erlang-q...@erlang.org
> http://erlang.org/mailman/listinfo/erlang-questions


--
Loïc Hoguin
Erlang Cowboy
Nine Nines
_______________________________________________
erlang-questions mailing list
erlang-q...@erlang.org
http://erlang.org/mailman/listinfo/erlang-questions

[Wes James]

Ok - thanks for the quick response!

Wes

On Tue, May 15, 2012 at 12:10 PM, Loïc Hoguin <es...@ninenines.eu> wrote:

On login, make the server generate an UUID, associate that UUID with the logged in user, and set it as the cookie you will use to identify the user. Then just compare that cookie with your list of logged in users to find who it is.

It should already be a good start.

On 05/15/2012 08:03 PM, Wes James wrote:

I'm using cowboy for an application and I'm setting a simple cookie with
an expire to log users out after a certain time.  Using a simple cookie
seams like it is not secure, though.  As someone could read the code and
set the cookie in their browser and then get access to the site, right?
 Are there any examples of securely using cookies in cowboy or some
other erlang app/framework that shows how cookies are used?  I guess
some random time based cookie might work better.

Thanks,

Wes

_______________________________________________
erlang-questions mailing list
erlang-q...@erlang.org
http://erlang.org/mailman/listinfo/erlang-questions

--
Loďc Hoguin
Erlang Cowboy
Nine Nines

[Adam Rutkowski]

On May 15, 2012, at 8:03 PM, Wes James wrote:

> I'm using cowboy for an application and I'm setting a simple cookie with an expire to log users out after a certain time. Using a simple cookie seams like it is not secure, though. As someone could read the code and set the cookie in their browser and then get access to the site, right? Are there any examples of securely using cookies in cowboy or some other erlang app/framework that shows how cookies are used? I guess some random time based cookie might work better.

One simple approach is to make an expiring process that generates a random binary per user session. Use its value to encyrpt the cookie, encode it somehow so it's browser/cowboy-friendly (I remember I had some trouble using base64 with cowboy cookie module, which led me to a hexstring eventually), then verify it using the onrequest hook.
Whatever you choose to do, pass it through SSL and use secure cookies (https://github.com/essen/cowboy/blob/master/src/cowboy_cookies.erl#L28).

Hope that helps.
--
AR

[Bob Ippolito]

You should also make sure to only use https for cookies [1] and to make them invisible to JavaScript [2]. This of course makes it a bit more complicated because you'll need a SSL certificate, but that's basically necessary for session security.

cowboy_cookies:cookie(

                 ?COOKIENAME,

                 SessionId,

                 [{http_only, true},

                  {secure, true}]).

[1] HTTP makes it too easy for an observer to steal your session. {secure, true} forces the cookie to only be visible on HTTPS.

[2] JavaScript accessible cookies can be stolen via CSRF attacks (given some other constraints, but it's better to be safe). {secure, true} makes the cookie show up as an empty string from JavaScript.

[Bob Ippolito]

On Tue, May 15, 2012 at 12:19 PM, Adam Rutkowski <adam.ru...@jtendo.com> wrote:

On May 15, 2012, at 8:03 PM, Wes James wrote:

> I'm using cowboy for an application and I'm setting a simple cookie with an expire to log users out after a certain time.  Using a simple cookie seams like it is not secure, though.  As someone could read the code and set the cookie in their browser and then get access to the site, right?  Are there any examples of securely using cookies in cowboy or some other erlang app/framework that shows how cookies are used?  I guess some random time based cookie might work better.

One simple approach is to make an expiring process that generates a random binary per user session. Use its value to encyrpt the cookie, encode it somehow so it's browser/cowboy-friendly (I remember I had some trouble using base64 with cowboy cookie module, which led me to a hexstring eventually), then verify it using the onrequest hook.
Whatever you choose to do, pass it through SSL and use secure cookies (https://github.com/essen/cowboy/blob/master/src/cowboy_cookies.erl#L28).

The base64 codec uses some characters that aren't safe in URLs or cookies, so you'll have to modify it slightly.

http://en.wikipedia.org/wiki/Base64#URL_applications 

-bob

[Max Lapshin]

Ruby on Rails implements a wonderful idea:

you pack your session as a JSON: {user_id : 15, ip : "23.45.67.89",
expire_at : 1234567780},
then you take base64 from it,
then you concat base64 with secret key and take sha1 from it.

Cookie = base64(Session) ++ "--" ++ sha1(base64(Session) ++ SecretKey)

later on each request you validate that session is signed properly,
check IP address, timeout and use your really stateless session.

[Fred Hebert]

CSRF and Javascript cookies are unrelated.

I could build a CSRF attack using an img tag or submitting a form, and never touching it with Javascript. The only way to truly protect against CSRF is to use session tokens (referrer checking doesn't work if you expect requests from flash and/or SSL).

Store the session token in the form for any request that can change data and match it with the cookie. If either the cookie or token do not match, reject the request. The token should be protected thanks to the Same-Origin Policy implemented by browsers.

As far as I know, making the cookie http only has no impact on this, but is rather protection when it comes to XSS accessing cookie data, not CSRF.

[Bob Ippolito]

You're right, I meant XSS but typed CSRF. Thanks :)

[Matti Oinas]

I would recommend reading the paper
http://www.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf

It is a good description about the method used by Rails and it also
presents couple not so good implementations of web authentication.


This stackoverflow post is great and contains links to good sources of
information including the one mentioned above.

http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication?answertab=votes#tab-top

[Wes James]

Thanks everyone for your responses!

Wes

[Steve Davis]

This is also quite interesting on the topic.

http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

[eigenfunction]

Stateless applications are just too hard to secure. I wished there was
a stateful webframework written in erlang, something like java-
webobjects or scala-lift where you can just write your application and
go to sleep without worrying about security. The first time i saw
erlang-web and its component based approach, i thought they got it. I
checked their wiki page but they did not mention security anywhere so
i had to look somewhere else.

On May 17, 2:43 am, Steve Davis <steven.charles.da...@gmail.com>
wrote:

> This is also quite interesting on the topic.
>
> http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
>
> _______________________________________________
> erlang-questions mailing list

> erlang-questi...@erlang.orghttp://erlang.org/mailman/listinfo/erlang-questions

[OvermindDL1]

On Fri, May 18, 2012 at 8:01 AM, eigenfunction <emeka...@yahoo.com> wrote:

Stateless applications are just too hard to secure. I wished there was
a stateful webframework written in erlang, something like java-
webobjects or scala-lift where you can just write your application and
go to sleep without worrying about security. The first time i saw
erlang-web and its component based approach, i thought they got it. I
checked their wiki page but they did not mention security anywhere so
i had to look somewhere else.

On May 17, 2:43 am, Steve Davis <steven.charles.da...@gmail.com>
wrote:

> This is also quite interesting on the topic.
>
> http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

For note, but in the past I had loved using Wt C++ Web Toolkit, completely stateful, high emphasis on security, fully javascript driven but with a full functional fallback when javascript is disabled.  I have always wanted something like it in Erlang.  Nitrogen gets kind of close, but still missing the vast part of it, like all-inclusive state.