[erlang-questions] Yaws with HTPPS authentication + HTTP

Patrick <>
Thu May 24 19:11:52 CEST 2007


Generally https data transfer is encrypted with ssl, but if i use
session identifiers then what is the difference between http and
https? Generally as i understand https is much more heavy on cpu than
his counterpart. But without certificate authentication what is the
advantage of https anyway?

Patrick

> > @Bob
> > Well actually when i sign into gmail i actually land on https page and
> > after i login it redirects me on http page...
> > Anyway i will use https for starters until i understand how to
> > transfer credentials without loosing security to http pages on my site
> > (i presume the user is checked for credentials with https every now
> > and then - don't know how this works) .
>
> The page with the login form is always https, of course. I was
> ignoring the URL of that in my examples because it's irrelevant. It
> doesn't have to be even on the same domain using the kind of
> authentication scheme that Google does. The page you *started at*, the
> one that redirected you to the login page, is the one that determines
> where you go after logging in.
>
> HTTPS is just transport level security (unless you're using client
> certificates, which you're not). Authentication of this kind is at the
> application level and the transport you're using (http vs. https)
> doesn't change anything. It's usually some expiring token, stored in a
> cookie, that you can verify on every request.
>
> -bob
>



More information about the erlang-questions mailing list