[erlang-questions] web authentication
Max Lapshin
max.lapshin@REDACTED
Sat Jul 9 07:40:23 CEST 2011
On Sat, Jul 9, 2011 at 9:20 AM, Jon Watte <jwatte@REDACTED> wrote:
> You've already gotten some good answers; however, having worked extensively
> with this myself, I recommend:
>
> 1) Use HTTPS for all traffic. Computers are fast. Crypto is cheap. Cookie
> theft is a reality on open channels.
>
This is not as clear as it seems to.
1) HTTPS add delay. It is not a blocking problem for social
network/wiki, but it is a profit penalty for online shop
2) HTTPS still has issues with Internet Explorer, when some code is
HTTP and some is HTTPS. And when something is HTTPS, but IE thinks it
is HTTP
> 2) Use Basic-auth over HTTP -- this sends name and password,
> base-64-encoded.
>
Sorry, but it is very, very bad recommendation. You are afraid of
cookie stealing and this is why you recommend to send name and
password
plaintext on each request. What for?
More information about the erlang-questions
mailing list