Tornado – Secure Cookies

Well, as we read about cookies in the previous post, we can also say cookies help in tracking users, understanding their preferences and browsing activities. Cookies thus provide continuity and state
across HTTP connections which we explained with users browsing through different pages without losing out information they posted.

All’s good, but the threat lies in web servers accessing these cookies (stored at client’s location) to get personal and confidential information like Credit Card numbers or passwords. Cookies are readable in clear text and can be easily used for forging clients. The way out is to have secure web cookies and guess what, Tornado is again happy to help! 🙂

In the example, below, Tornado uses methods get_secure_cookie and set_secure_cookie to get and set secure cookies and uses a cookie key that is specified with cookie_secret when an application is created. Signed cookies contain the encoded value in addition to a timestamp and an HMAC signature. Also, by default, Tornado creates secure cookies with an expiry of 1month.

A Secure Cookie looks like this:

technobeans=”MTM0NDM1OTA5NS4yOQ==|1344359095|be3d68ebe6251359e9f8bade853ca99c93ff1daa”; expires=Thu, 06 Sep 2012 17:04:55 GMT; Path=/


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.