This is old documentation.
It means that the cookie once was viewed as a security measure, and not just something to prevent accidental connections from happening.
Nothing warns users that the information here is no longer current too.
Old indeed, and no mention of newer docs. When I use my favorite search engine I almost always land in the old docs, and I guess others will too.
For the docs it would be helpful to have a sticky link on top referring to the newest docs. That helps in finding the current docs.
In the new docs there is a whole section explaining that “with security we do not mean security.” May I suggest to just rename the Security paragraph to Protect against accidental connections and make the whole confusion disappear?
1 Like
That is a tough one. The thing also is that currently the default cookie looks secure, but it isn’t. If its function is only to prevent accidental connections, something human readable and obviously predictable would remove the suggestion that the cookie is something secure. Something like insecure-cookie-<four-digits>?
2 Likes
Indeed, if it is insecure, make clear that it is.
Changing the name of “cookie” into “identifier” or “cluster-name” will also help. In web-systems cookies are often used for security, where identifiers and names are clearly just there for everybody to see and use.
If the cookie is not meant for security, then do not make it smell (or sound) like security in the first place. So no funky hex codes, do not call it “cookie”, do not set the .erlang.cookie file to 0004, do not mention it in a text called “security.”
1 Like
Maybe we can do more to emphasize that it is insecure. A lot of things around this area are very old and a legacy things can be quite tedious to get rid of even when there are good reasons. I agree that many of the chosen names in this area are really unfortunate from the perspective of today. We will have to think about what is feasible.
5 Likes
Thanks for taking this seriously and not just blaming users for not reading the most up to date manuals.
This is exactly how security incidents often happen… Changing environments.
3 Likes