[erlang-questions] Yaws with HTPPS authentication + HTTP

Bob Ippolito bob@REDACTED
Thu May 24 18:27:02 CEST 2007


On 5/24/07, Patrick <patrickerj@REDACTED> wrote:
> @Bob
> > If you go to https://mail.google.com/mail/ and you login, then you
> > will be redirected back to https://mail.google.com/mail/. If you go to
> > http://mail.google.com/mail/ and you login, you will be redirected to
> > http://mail.google.com/mail/. I don't understand why this makes you
> > think about ports.
>
> Well actually when i sign into gmail i actually land on https page and
> after i login it redirects me on http page...
> Anyway i will use https for starters until i understand how to
> transfer credentials without loosing security to http pages on my site
> (i presume the user is checked for credentials with https every now
> and then - don't know how this works) .

The page with the login form is always https, of course. I was
ignoring the URL of that in my examples because it's irrelevant. It
doesn't have to be even on the same domain using the kind of
authentication scheme that Google does. The page you *started at*, the
one that redirected you to the login page, is the one that determines
where you go after logging in.

HTTPS is just transport level security (unless you're using client
certificates, which you're not). Authentication of this kind is at the
application level and the transport you're using (http vs. https)
doesn't change anything. It's usually some expiring token, stored in a
cookie, that you can verify on every request.

-bob



More information about the erlang-questions mailing list