rlipscombe / cowboy2_session Goto Github PK
View Code? Open in Web Editor NEWSession handling middleware for Cowboy 2.x
License: Apache License 2.0
Session handling middleware for Cowboy 2.x
License: Apache License 2.0
Consider options for remembering the client IP address, etc.
Currently it's an empty dictionary. You might want to use something different.
You might want to use different session tables for different cowboy endpoints, for example.
That is: don't send the cookie in the stream handler; wait until the first call to put_session.
Hacking on something at work; uses Github OAuth, and it stopped working. As far as I can tell, it's because session cookies don't work reliably over a 302 redirect (some SameSite shenanigans).
So: look carefully at how sessions are done over redirects. This probably means that #13 needs to be WONTFIXED, and that #6 needs looking at -- if you're doing it and then redirecting, stuff might break.
When deployed behind a load-balancer, or in K8s, we get spammed on the /health endpoint. We don't want to create a new session in the ETS table for each of those requests, so provide a filter function that can skip session creation.
Or, alternatively, implement #13, but that might have other complications.
ETS storage is great, but it can't be shared across nodes behind a load-balancer, and it's not persistent in case of server restart. Make it pluggable and provide, e.g., a redis backend.
Avoids session fixation. For example:
See, for example, https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
Let's take the example code
init(Req, Opts) ->
% Get the session details from the request object.
Session = cowboy2_session:get_session(Req),
% ... do something interesting ...
% Put updated session details in the request object.
Req2 = cowboy2_session:put_session(NewSession, Req),
% Send the response to the client.
Req3 = cowboy_req:reply(200, Headers, Body, Req2),
{ok, Req3, Opts}.
In this handler, I create a session to the request, and if I delete the session (like logout user) for the same request, how can I check if the session for that request is empty/deleted?
Anonymous sessions should probably be ephemeral. But if you want "remember me" to work, you're gonna need to update the expiry on the cookie (and in the db).
If an attacker gets a copy of the session ID database, they'll be able to use one of the stolen session IDs to impersonate an authenticated user.
I think that this is only really relevant if using a persistent session store, so this depends on #8.
Mitigations are:
See https://security.stackexchange.com/questions/221841/hashing-session-id
rand:bytes/1
(PRNG) is probably hard to predict. It would be better to use a CSPRNG to be sure, though. Use crypto:strong_rand_bytes/1
instead.
Allow setting Secure
, HttpOnly
, expiry, etc.
ErlangLS in VS Code complains about the same thing.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.