Tornado – Secure Cookies


Well, as we read about cookies in the previous post, we can also say cookies help in tracking users, understanding their preferences and browsing activities. Cookies thus provide continuity and state
across HTTP connections which we explained with users browsing through different pages without losing out information they posted.

All’s good, but the threat lies in web servers accessing these cookies (stored at client’s location) to get personal and confidential information like Credit Card numbers or passwords. Cookies are readable in clear text and can be easily used for forging clients. The way out is to have secure web cookies and guess what, Tornado is again happy to help! 🙂

In the example, below, Tornado uses methods get_secure_cookie and set_secure_cookie to get and set secure cookies and uses a cookie key that is specified with cookie_secret when an application is created. Signed cookies contain the encoded value in addition to a timestamp and an HMAC signature. Also, by default, Tornado creates secure cookies with an expiry of 1month.

A Secure Cookie looks like this:

technobeans=”MTM0NDM1OTA5NS4yOQ==|1344359095|be3d68ebe6251359e9f8bade853ca99c93ff1daa”; expires=Thu, 06 Sep 2012 17:04:55 GMT; Path=/

Example

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s