Stormpath HTTP Cookies

As we planned our burn-down to the holidays, our head of Marketing made some pretty big commitments to our growth plan. But what is a good growth plan without some technical fussery? So, here’s what I came up with as a response:

All new API calls to Stormpath Thanksgiving week will result in a shipment of free, freshly home-baked cookies to the holder of the Stormpath tenant!

So, In the spirit of the holidays and web developers everywhere, we’ve decided to put cookies at the enter of your Thanksgiving week. I’ll cover how to use http cookies securely in your web application, and if you try out the Stormpath API for the first time this week, you’ll get some free Stormpath cookies, straight from Claire’s kitchen. Woot!

Cookies Are Delicious

No doubt about that, right? They taste good, they allow you to store useful information in the user’s browser, and they allow the browser to automatically send that information back to your server, on every request. These features are too tasty to turn away. So go ahead, have a few cookies! It is the holidays, after all!

Unfortunately, cookies have gotten a bad rap. They typically contain gluten, and are often poorly baked, exposing your users to bad taste and poor web design.

In this recipe, we will show you how to make cookies that are delicious, responsible, and guilt-free.

Recipe: The Best Darn HTTP Cookies

  • 1 Part Secure flag

  • 1 Part HttpOnly flag

  • 2 parts responsibility (client AND server)

  • 1 Part highly unique identifier (if using cookie for session lookup)

  • Hold the PII (personally identifiable information)

  • Unique cookie name, to taste

  • One medium-sized, CSRF and XSS-safe baking sheet

  • HTTPS (for delivery)

Step 1: Inspect Your Ingredients

For best flavor, ensure that your ingredients are fresh but not too raw.

  • No PII – Your cookies will be sitting in plain sight on the table. As such they should not contain burnt edges, real names, email addresses, social security numbers, etc. A cookie is not a mirror, or your filing cabinet.

  • Highly Unique Identifiers – If you are whipping up some session cookies (the ones that link the browser session to a session database), then the contents of the cookie should be highly random. If an attacker can guess the ingredients of your cookie, they can pose as your user. Oatmeal-Raisin is about as bland as you can get, so you should absolutely avoid that entropy source.

Step 2: Prepare Your Baking Sheet

How your cookies are formed are just as important as their contents. Nobody likes a sloppy cookie. You want to form your cookies with some protection from crumbly edge cases.

  • XSS Prevention. The JavaScript environment in the browser is hostile. Your cookies are not going to survive rummaging hands, curious snouts, and malicious JavaScript that made its way into your cookie jar. Protect your cookies from XSS by providing the HttpOnly flag when you send the cookie to the browser. This prevents the JavaScript environment from accessing the cookie. You should do this for any cookie that gives the user implicit access to sensitive resources.

  • CSRF Prevention. Your cookies can be used maliciously, by other domains that make requests to your website without your user’s consent. If your server blindly authenticates a user, simply because they have a tasty, buttery, sugary cookie, then you’ve got more problems than your hard drive size. You’re also allowing CSRF attacks, where other websites trigger state-changing actions on your server without your user’s consent. This is possible because the browser will always send the user’s cookies automatically, regardless of how the request was triggered. Use one of the many CSRF Prevention measures to reduce this risk.

Step 3: Delivery

Sliding your cookies onto some tableware and wrapping them with saran wrap may be fine or a birthday or make-up attempt, but it’s the holidays! Let’s get fancy, and secure, about this operation. Use red saran wrap.

And Always use Secure cookies. The secure flag tells the browser that the cookie should only be transmitted over secure, HTTPS connections. We want this because Santa is listening “on the wire”, and we don’t want him to steal your cookies.

Having the best recipe in the world is great, but why do all that work when someone else is probably going to be bringing the same cookies to the party?

Save yourself some time and Sign Up for Stormpath – Not only will you get these security features out-of-the box with our full suite of SDKs and framework integrations, but we’ll also send you some free cookies – really!

The easiest way to get started is with one of our quickstarts:

Happy Holidays from the Stormpath Team 🙂


Cookie Terms and Disclaimers from Claire

  • I make damn good cookies.

  • How this will work operationally: We will check the API logs on Monday. Anyone who has created a new Stormpath tenant and successfully made an API call between the timestamp when this post goes live and Sunday 11/29 at midnight PST will get an email asking for a mailing address where we can send your cookies.

  • Sadly, due to customs restrictions, we can’t ship homemade baked goods outside the US. But we can in most cases send you some Swag.

  • Unfortunately, we can’t honor special requests or dietary restrictions. I bake a lot, and nuts, gluten and other allergens are regularly flung around my kitchen.

  • Cookie delivery will probably happen in December.