CookieStore on Yaws

I implemented a session cookie store, just like the one in Ruby on Rails 2.0.

Available with the same caveats :
Session data is encoded in base64 and sent in the cookie with a SHA MAC of this data.
This means that the user can see what’s inside, but will not be able to tamper with it.

Moreover session data should stay in small amount as the encoded and signed data may not exceed 4096 bytes.

This being said, that should give us Yaws clustering for free 🙂
And no more sessions to expire, just set the cookie expiration date.

One small thing, make sure crypto is started.

session1.yaws has been rewritten to make use of this code.

Download here.


1 comment so far

  1. wde on


    j’ai réutilisé votre code, merci.

    je réflechis également à coder d’autres mécanismes pour améliorer la sécurité liée aux sessions avec Yaws (par exemple créer une adherence basée sur l’IP du client ou encore utiliser conjointement au cookie un identifiant dans l’URL modifié régulièrement par le serveur…).

Comments are closed.

%d bloggers like this: