Chapter 6. Writing Secure Applications
Very often, secure applications come at the expense of complexity (and developer headaches). The Tornado web server has been designed with a number of security considerations in mind, making it easy to protect against a few well-documented vulnerabilities. Secure cookies prevent a user’s local state from being surreptitiously modified by malicious code in his browser. Additionally, browser cookies can be compared with HTTP request parameter values to prevent cross-site request forgery attacks. In this chapter, we will look at features in Tornado that make preventing these attacks easy and then look at a user authentication example that uses these features.
Cookie Vulnerabilities
Many websites use browser cookies to store a user’s identity between browser sessions. It’s a simple and widely compatible way to store persistent state across browser sessions. Unfortunately, browser cookies are susceptible to a number of well-documented attacks. This section will demonstrate how Tornado prevents a malicious script from tampering with your application’s stored cookies.
Cookie Forgery
There are a number of ways cookies can be intercepted in the browser. JavaScript and Flash have read and write access to the cookies on the domain of the page in which they are executed. Browser plug ins also have programmatic access to this data. Cross-site scripting attacks can take advantage of this access to modify the value of a cookie in the visitor’s browser.
Secure ...
Get Introduction to Tornado now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.