How to parse secure cookies?
406 views
Skip to first unread message
Phyo Arkar
Aug 31, 2015, 3:37:58 PM8/31/15
to Tornado Mailing List
Previously , when user logged in , i set cookie at browser side separately from ajax's result of login .
But it is not efficient and sometime it miss.
I was doing that because i don't know how to parse tornado's secure cookies .
How can i do that?
Kevin LaTona
Aug 31, 2015, 4:33:55 PM8/31/15
to python-...@googlegroups.com
On Aug 31, 2015, at 12:37 PM, Phyo Arkar <phyo.ar...@gmail.com> wrote:
I was doing that because i don't know how to parse tornado's secure cookies .How can i do that?
Never had to do what you are doing.
I'm guessing you might find the answer in these links or they might get you on your way to figuring it out.
If you do figure it out, post it the list for others to see.
-Kevin
Japhy Bartlett
Aug 31, 2015, 5:39:26 PM8/31/15
to python-...@googlegroups.com
When you say "parse", do you mean in the browser? The cookies are encrypted, that's what makes them secure!
If you load the encryption key into the browser (and how else would you decrypt or parse the cookie?), that would completely defeat the purpose. Don't do that. :(
If you mean in the back end, you would use get_secure_cookie:
--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Phyo Arkar
Sep 1, 2015, 2:58:44 AM9/1/15
to python-...@googlegroups.com
Yeah , i realize secure cookies in first place isn't meant to be read at client side. So yeah, they shouldn't be parsed. I will just avoid using cookies now. I am having problem with passing cookies in crossdomain (but subdomain) requests , thats why i tried :D
Phyo Arkar
Sep 1, 2015, 4:18:19 AM9/1/15
to Tornado Mailing List
Is this a good idea? just, to include secure cookie in every Ajax GET/POST request and Eventsource requests?
Phyo Arkar
Sep 1, 2015, 4:18:48 AM9/1/15
to Tornado Mailing List
I mean , as a Request parameter , not as a cookie/
Ben Darnell
Sep 1, 2015, 7:08:12 AM9/1/15
to Tornado Mailing List
On Mon, Aug 31, 2015 at 11:39 PM, Japhy Bartlett <ja...@pearachute.com> wrote:
When you say "parse", do you mean in the browser? The cookies are encrypted, that's what makes them secure!If you load the encryption key into the browser (and how else would you decrypt or parse the cookie?), that would completely defeat the purpose. Don't do that. :(
Tornado's secure cookies are signed, not encrypted. You can read the data they contain without the key, but you need the key to know that is was generated by the server. The exact format is an implementation detail and subject to change, so I do not recommend doing this.
-Ben
Ben Darnell
Sep 1, 2015, 7:19:09 AM9/1/15
to Tornado Mailing List
On Tue, Sep 1, 2015 at 10:17 AM, Phyo Arkar <phyo.ar...@gmail.com> wrote:
Is this a good idea? just, to include secure cookie in every Ajax GET/POST request and Eventsource requests?
It's fine to include sensitive data like secure cookies in POST request bodies (GET is riskier since parameters in the url tend to get logged in more places). In fact, it can even be more secure than cookies as long as you can manage this data securely to pass it in on the request. However, it's difficult to do this securely in a browser (it's equivalent to *not* using the httponly flag on your cookies). So even though it's safe to pass the data via POST body, the things you have to do to get it there may not be safe.
-Ben
Japhy Bartlett
Sep 2, 2015, 1:34:14 PM9/2/15
to python-...@googlegroups.com
Oh my bad, I misunderstood that.
Reply all
Reply to author
Forward
0 new messages