aboutsummaryrefslogtreecommitdiffstats
path: root/doc/src/guide/cookies.asciidoc
blob: 4825031bf5f4770f660611c1a905cd45ec7b5fd4 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
[[cookies]]
== Using cookies

Cookies are a mechanism allowing applications to maintain
state on top of the stateless HTTP protocol.

Cookies are a name/value store where the names and values are
stored in plain text. They expire either after a delay
or when the browser closes. They can be configured on a
specific domain name or path, and restricted to secure
resources (sent or downloaded over HTTPS), or restricted
to the server (disallowing access from client-side scripts).

Cookie names are de facto case sensitive.

Cookies are stored client-side and sent with every subsequent
request that matches the domain and path for which they were
stored, until they expire. This can create a non-negligible
cost.

Cookies should not be considered secure. They are stored on
the user's computer in plain text, and can be read by any
program. They can also be read by proxies when using clear
connections. Always validate the value before using it,
and never store any sensitive information inside it.

Cookies set by the server are only available in requests
following the client reception of the response containing
them.

Cookies may be sent repeatedly. This is often useful to
update the expiration time and avoid losing a cookie.

=== Setting cookies

By default cookies are defined for the duration of the session:

[source,erlang]
----
SessionID = generate_session_id(),
Req = cowboy_req:set_resp_cookie(<<"sessionid">>, SessionID, Req0).
----

They can also be set for a duration in seconds:

[source,erlang]
----
SessionID = generate_session_id(),
Req = cowboy_req:set_resp_cookie(<<"sessionid">>, SessionID, Req0,
    #{max_age => 3600}).
----

To delete cookies, set `max_age` to 0:

[source,erlang]
----
SessionID = generate_session_id(),
Req = cowboy_req:set_resp_cookie(<<"sessionid">>, SessionID, Req0,
    #{max_age => 0}).
----

To restrict cookies to a specific domain and path, the options
of the same name can be used:

[source,erlang]
----
Req = cowboy_req:set_resp_cookie(<<"inaccount">>, <<"1">>, Req0,
    #{domain => "my.example.org", path => "/account"}).
----

Cookies will be sent with requests to this domain and all
its subdomains, and to resources on this path or deeper
in the path hierarchy.

To restrict cookies to secure channels (typically resources
available over HTTPS):

[source,erlang]
----
SessionID = generate_session_id(),
Req = cowboy_req:set_resp_cookie(<<"sessionid">>, SessionID, Req0,
    #{secure => true}).
----

To prevent client-side scripts from accessing a cookie:

[source,erlang]
----
SessionID = generate_session_id(),
Req = cowboy_req:set_resp_cookie(<<"sessionid">>, SessionID, Req0,
    #{http_only => true}).
----

Cookies may also be set client-side, for example using
Javascript.

=== Reading cookies

The client only ever sends back the cookie name and value.
All other options that can be set are never sent back.

Cowboy provides two functions for reading cookies. Both
involve parsing the cookie header(s) and so should not
be called repeatedly.

You can get all cookies as a key/value list:

[source,erlang]
Cookies = cowboy_req:parse_cookies(Req),
{_, Lang} = lists:keyfind(<<"lang">>, 1, Cookies).

Or you can perform a match against cookies and retrieve
only the ones you need, while at the same time doing
any required post processing using xref:constraints[constraints].
This function returns a map:

[source,erlang]
#{id := ID, lang := Lang} = cowboy_req:match_cookies([id, lang], Req).

You can use constraints to validate the values while matching
them. The following snippet will crash if the `id` cookie is
not an integer number or if the `lang` cookie is empty. Additionally
the `id` cookie value will be converted to an integer term:

[source,erlang]
CookiesMap = cowboy_req:match_cookies([{id, int}, {lang, nonempty}], Req).

Note that if two cookies share the same name, then the map value
will be a list of the two cookie values.

A default value can be provided. The default will be used
if the `lang` cookie is not found. It will not be used if
the cookie is found but has an empty value:

[source,erlang]
#{lang := Lang} = cowboy_req:match_cookies([{lang, [], <<"en-US">>}], Req).

If no default is provided and the value is missing, an
exception is thrown.