[erlang-questions] web authentication

Jon Watte jwatte@REDACTED
Sat Jul 9 07:20:42 CEST 2011


You've already gotten some good answers; however, having worked extensively
with this myself, I recommend:

1) Use HTTPS for all traffic. Computers are fast. Crypto is cheap. Cookie
theft is a reality on open channels.

2) Use Basic-auth over HTTP -- this sends name and password,
base-64-encoded.

3) HTTP is stateless. The auth will be sent with each and every request. The
fact that HTTP/1.1 allows you to keep the physical TCP connection open and
send another request is purely an optimization; you cannot assume anything
about the next request that comes in. In fact, a HTTP gateway may multiplex
multiple internal users to a single external connection, and send different
credentials (including no credentials) with each request.

The stateless nature of HTTP is what makes it scale really, really well for
certain problem domains and usage patterns. It's also what makes it a pain
in the butt when certain kinds of efficiencies are important. This area is
fraught with more distress than you would normally think. I believe this is
because old-school networking people sometimes haven't yet realized the
benefits of HTTP as currently implemented and optimized; meanwhile, web-only
people often don't understand that there are cases where HTTP is NOT the
right solution. Sitting in the middle is fun and frustrating at the same
time ;-)

Sincerely,

jw


--
Americans might object: there is no way we would sacrifice our living
standards for the benefit of people in the rest of the world. Nevertheless,
whether we get there willingly or not, we shall soon have lower consumption
rates, because our present rates are unsustainable.



On Thu, Jul 7, 2011 at 12:29 PM, Joe Armstrong <erlang@REDACTED> wrote:

> Slightly off topic. But I want to make an erlang web site.
>
> 1) How does web authentication work?
>
> Let's assume something like:
>
>   http://en.wikipedia.org/wiki/Digest_access_authentication
>
> This is easy to understand.
>
> What I don't understand is what happens if the session socket is closed.
> Handshaking tales place over an open socket and the client is
> authenticated - this
> is easy to understand.
>
> What happens if the socket is closed, and reopened in a subsequent request?
> Does the server set and receive a session cookie? Does the client remember
> and
> replay the authentication protocol?
>
> How does this work?
>
> 2) I want to make a web thing that requires the user to authenticate
> themself.
>
> Should I:
>
>    a) Roll my own (some MD5 + cookies should do the job)
>    b) Implement  http://en.wikipedia.org/wiki/Digest_access_authentication
>    c) Something else?
>
> Seems like for a real web site there is a lot of cruft involved
> preventing spammers,
> false-accounts, forgotten-passwords etc. can I get all of this for
> free by getting
> authentication credentials via goole/facebook or something? Is this
> what OpenID does?
>
> Finally is this entire authentication-user management-forgot my
> password built-in
> to any of the popular erlang web servers?
>
> Cheers
>
> /Joe
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110708/a49e4cf2/attachment.htm>


More information about the erlang-questions mailing list