Re: [Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules

You probably can't use it directly but it should at least show you how we did it. In particular, the Snap.Snaplet.Session.SecureCookie module (internal, I think, so look at source) may be of interest to you as it implements the self-contained idea of encrypted cookies. - Oz On Wednesday, February 27, 2013 at 4:43 PM, Corentin Dupont wrote:

Thanks Ozgun, but I'm using Happstack: this will be compatible?

On Wed, Feb 27, 2013 at 10:30 PM, Ozgun Ataman wrote:

...

I would encourage you to take a look at the snap (the web framework) package, where this concern is handled for you as part of the "session" snaplet.

The Snap.Snaplet.Session (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple...) module and the Snap.Snaplet.Session.Backends.CookieSession (http://hackage.haskell.org/packages/archive/snap/0.11.2/doc/html/Snap-Snaple...) ensure that contents of the cookie-persistent sessions are encrypted and so you can place anything from user ids to other secret information there, although I would certainly keep it to a minimum for size concerns.

Here it is: http://hackage.haskell.org/package/snap

Hope this helps, Oz

On Wed, Feb 27, 2013 at 2:08 PM, Corentin Dupont wrote:

...

So I need to "encrypt" the user ID in some way? What I need is to associate the user ID to a random number and store the association is a table?

On Wed, Feb 27, 2013 at 3:52 PM, Erik Hesselink wrote:

...

Note that cookies are not the solution here. Cookies are just as user controlled as the url, just less visible. What you need is a session id: a mapping from a non-consecutive, non-guessable, secret token to the user id (which is sequential and thus guessable, and often exposed in urls etc.). It doesn't matter if you then store it in the url or a cookie. Cookies are just more convenient.

Erik

On Wed, Feb 27, 2013 at 3:30 PM, Corentin Dupont wrote:

...

Yes, having a cookie to keep track of the session if something I plan to do.

On Wed, Feb 27, 2013 at 3:16 PM, Mats Rauhala wrote:

...

The user id is not necessarily the problem, but rather that you can impose as another user. For this, one solution is to keep track of a unique (changing) user token in the cookies and use that for verifying the user.

-- Mats Rauhala MasseR

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEuFVQACgkQHRg/fChhmVMu3ACeLLjbluDQRYekIA2XY37Xbrql tH0An1eQHrLLxCjHHBQcZKmy1iYxCxTt =tf0d -----END PGP SIGNATURE-----

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org (mailto:Haskell-Cafe@haskell.org) http://www.haskell.org/mailman/listinfo/haskell-cafe