Stormpath HTTP Cookies

As we planned our burn-down to the holidays, our head of Marketing made some pretty big commitments to our growth plan. But what is a good growth plan without some technical fussery? So, here’s what I came up with as a response:

All new API calls to Stormpath Thanksgiving week will result in a shipment of free, freshly home-baked cookies to the holder of the Stormpath tenant!

So, In the spirit of the holidays and web developers everywhere, we’ve decided to put cookies at the center of your Thanksgiving week. I’ll cover how to use http cookies securely in your web application, and if you try out the Stormpath API for the first time this week, you’ll get some free Stormpath cookies, straight from Claire’s kitchen. Woot!

Cookies Are Delicious

No doubt about that, right? They taste good, they allow you to store useful information in the user’s browser, and they allow the browser to automatically send that information back to your server, on every request. These features are too tasty to turn away. So go ahead, have a few cookies! It is the holidays, after all!

Unfortunately, cookies have gotten a bad rap. They typically contain gluten, and are often poorly baked, exposing your users to bad taste and poor web design.

In this recipe, we will show you how to make cookies that are delicious, responsible, and guilt-free.

Recipe: The Best Darn HTTP Cookies

  • 1 Part Secure flag

  • 1 Part HttpOnly flag

  • 2 parts responsibility (client AND server)

  • 1 Part highly unique identifier (if using cookie for session lookup)

  • Hold the PII (personally identifiable information)

  • Unique cookie name, to taste

  • One medium-sized, CSRF and XSS-safe baking sheet

  • HTTPS (for delivery)

Step 1: Inspect Your Ingredients

For best flavor, ensure that your ingredients are fresh but not too raw.

  • No PII – Your cookies will be sitting in plain sight on the table. As such they should not contain burnt edges, real names, email addresses, social security numbers, etc. A cookie is not a mirror, or your filing cabinet.

  • Highly Unique Identifiers – If you are whipping up some session cookies (the ones that link the browser session to a session database), then the contents of the cookie should be highly random. If an attacker can guess the ingredients of your cookie, they can pose as your user. Oatmeal-Raisin is about as bland as you can get, so you should absolutely avoid that entropy source.

Step 2: Prepare Your Baking Sheet

How your cookies are formed are just as important as their contents. Nobody likes a sloppy cookie. You want to form your cookies with some protection from crumbly edge cases.

  • XSS Prevention. The JavaScript environment in the browser is hostile. Your cookies are not going to survive rummaging hands, curious snouts, and malicious JavaScript that made its way into your cookie jar. Protect your cookies from XSS by providing the HttpOnly flag when you send the cookie to the browser. This prevents the JavaScript environment from accessing the cookie. You should do this for any cookie that gives the user implicit access to sensitive resources.

  • CSRF Prevention. Your cookies can be used maliciously, by other domains that make requests to your website without your user’s consent. If your server blindly authenticates a user, simply because they have a tasty, buttery, sugary cookie, then you’ve got more problems than your hard drive size. You’re also allowing CSRF attacks, where other websites trigger state-changing actions on your server without your user’s consent. This is possible because the browser will always send the user’s cookies automatically, regardless of how the request was triggered. Use one of the many CSRF Prevention measures to reduce this risk.

Step 3: Delivery

Sliding your cookies onto some tableware and wrapping them with saran wrap may be fine or a birthday or make-up attempt, but it’s the holidays! Let’s get fancy, and secure, about this operation. Use red saran wrap.

And Always use Secure cookies. The secure flag tells the browser that the cookie should only be transmitted over secure, HTTPS connections. We want this because Santa is listening “on the wire”, and we don’t want him to steal your cookies.

And That’s How The Cookie Crumbles

Having the best recipe in the world is great, but why do all that work when someone else is probably going to be bringing the same cookies to the party?

Save yourself some time and Sign Up for Stormpath – Not only will you get these security features out-of-the box with our full suite of SDKs and framework integrations, but we’ll also send you some free cookies – really!

The easiest way to get started is with one of our quickstarts:

Happy Holidays from the Stormpath Team :)


Cookie Terms and Disclaimers from Claire

  • I make damn good cookies.

  • How this will work operationally: We will check the API logs on Monday. Anyone who has created a new Stormpath tenant and successfully made an API call between the timestamp when this post goes live and Sunday 11/29 at midnight PST will get an email asking for a mailing address where we can send your cookies.

  • Sadly, due to customs restrictions, we can’t ship homemade baked goods outside the US. But we can in most cases send you some Swag.

  • Unfortunately, we can’t honor special requests or dietary restrictions. I bake a lot, and nuts, gluten and other allergens are regularly flung around my kitchen.

  • Cookie delivery will probably happen in December.

When building full-stack JavaScript applications, it’s all too easy to defer the user authentication until some later date. With the power of frameworks like Angular.js and Express.js, you can “just get going” with your core application functionality, without really needing to invest effort in figuring out the “user login part”.

But if you’ve worked this way, you’ve likely discovered that adding in user authentication can be a real pain once your development picks up and the deadline suddenly turns into tomorrow :)

In this post, I’ll show you how we can include user authentication up front, as part of your boilerplate. We’ll be using Stormpath as our authentication service, and you’ll be up and running in 15 minutes – *promise*.

Read more »

Stormpath PHP

A little over 3 years ago, Stormpath introduced PHP support for User Management and the response from the PHP community has been overwhelming and so supportive. Thank you! Since then, we have been working very hard on the PHP SDK to make it your go-to service for User Identity.

Today, we are happy announce that a stable version of the PHP SDK is being released to General Availability. Begone Beta Tag!

This release includes many changes: we removed the dependency on PEAR and now support installation using Packagist. Composer and Packagist gives us nice autoloader options, both of which uses the PHP Standards Recommendations (PSR). The PHP SDK has been updated to use PSR-4 autoloading from the deprecated PSR-0.

Read more »

As a .NET developer, I’ve spent most of my time coding on Windows machines. It’s only logical: Visual Studio is the richest development experience for building C# and VB.NET applications, and it only runs on Windows…right?

When I joined Stormpath to work on our open-source .NET authentication library, I was handed a MacBook Pro and given an interesting challenge: can a Mac be an awesome .NET development platform?

To my surprise, the answer is yes! I’ll share how I turned a MacBook Pro into the ultimate Visual Studio development machine.

Read more »

When you research web application security you will come across Cross-Site Request Forgery (CSRF). This attack vector is taking advantage of cookies, but in a preventable way. In this post we’ll discuss what the attack is and how it can be prevented. We’ll also discuss Angular’s XSRF feature, which helps you prevent attack. It requires cooperation from your server, and we’ll explain what you need to do.

Note: Angular uses the acronym XSRF, but this is synonymous with CSRF.

What is Cross-Site Request Forgery (CSRF)?

Read more »

Here at Stormpath, we Spring Boot. It makes it so easy and fun to build rich Java webapps.

We’re very excited for our latest Java SDK release which includes a major overhaul to our Spring Security and Spring Boot support.

If you’ve built a web app before, you know that all the “user stuff” is a royal pain. Stormpath gives developers all that “user stuff” out-of-the-box so you can get on with what you really care about – your app! By the time you’re done with this tutorial ( < 15 minutes, I promise), you’ll have a fully-working Spring Boot webapp that protects user access to restricted paths with Spring Security and is backed by Stormpath.

We’ll focus on our Spring Boot integration to roll out a simple Spring Boot web application, with a complete user registration and login system, with these features:

  • Login and Registration pages
  • Password reset workflows
  • Restricting access according to Group membership
  • The ability to easily enable other Stormpath features in our Java library (API authentication, SSO, social login, and more)
Read more »


Building command line programs has been a long time passion of mine. There’s something magical about making a simple, intuitive, and composable CLI. There’s also nothing more beautiful than chaining together a series of CLI programs to solve a complex problem quickly.

Here at Stormpath, we’ve built our entire product CLI in Python to create / manage / edit users for your applications, and have been really happy with the result.

Most of this is thanks to the wonderful docopt library, which provides automatic CLI argument parsing and makes building complicated CLIs incredibly simple. And the best part? It works across more than 20 different programming languages! This means that even if you’re building a new CLI app in Go, Rust, or something in between, chances are you can use docopt, too!

If you want to know how to structure your next CLI-based app to minimize complexity and maximize awesomeness, keep reading. Read more »

I am sure every PHP developer has struggled with storing user information on a server to identify the source of a request. Since HTTP is a stateless system, this has been the only way to tell who a user is. Until now! We’ve built Token Authentication directly into the PHP SDK for your applications.

Token based authentication in the PHP SDK removes the need to store information on the server, and allows you to keep tokens secure on the Client. Using Stormpath to generate and verify these tokens for you, access to your web application can be restricted at any time by removing a token from an account.

Read more »

At Stormpath, we spend a lot of time designing features to help developers build applications using best practices for authentication, authorization, and user data security.

Now, Stormpath makes it easy for developers to generate OAuth 2.0 access tokens. This new feature gives your applications a way to authorize requests for other applications and micro-services that you own.

Developers often come to us with these questions:

  • How do I secure my API so only authenticated users can access it?
  • How do I manage stateless tokens and still control access after a logout or if I need to revoke a token?
  • How to do I store session information in my application that doesn’t incur state on my server or APIs?

Stormpath OAuth Support allows you to do all these things, and this post will show you how to use this feature, or at least understand the functionality required for a good token management system. You can also go straight to the deep documentation on how to use Stormpath to manage tokens in our Token Management Guide.

Before we get into the nitty gritty though…

A Crash Course in Token-Based Authentication and Management

Read more »