[erlang-questions] web authentication

Jon Watte jwatte@REDACTED
Sat Jul 9 20:44:39 CEST 2011 

You should not send name/password in clear text. You should send it using
HTTP+TLS == HTTPS! My three suggestions should be used together.
The more salient point is that a REST client may or may not like cookies,
because you cannot, for example, issue multiple requests in parallel until
you've first done the stateful, cookie-generating, initial server
round-trip.

HTTPS has had some performance problems with an additional round-trip during
connection negotiation for TLS. For browsers that re-use the connection (all
HTTP/1.1 browser), this is not much of a problem. However, our friends at
Google have actually done a lot of research in how to front-load the
necessary packets, so that you can recude the negotiation overhead to close
to zero, without a change in protocol! It's quite fascinating. For an
initial look, check out:
http://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html

Sincerely,

jw



--
Americans might object: there is no way we would sacrifice our living
standards for the benefit of people in the rest of the world. Nevertheless,
whether we get there willingly or not, we shall soon have lower consumption
rates, because our present rates are unsustainable.



On Fri, Jul 8, 2011 at 10:40 PM, Max Lapshin <max.lapshin@REDACTED> wrote:

> On Sat, Jul 9, 2011 at 9:20 AM, Jon Watte <jwatte@REDACTED> wrote:
> > You've already gotten some good answers; however, having worked
> extensively
> > with this myself, I recommend:
> >
> > 1) Use HTTPS for all traffic. Computers are fast. Crypto is cheap. Cookie
> > theft is a reality on open channels.
> >
>
> This is not as clear as it seems to.
> 1) HTTPS add delay. It is not a blocking problem for social
> network/wiki, but it is a profit penalty for online shop
> 2) HTTPS still has issues with Internet Explorer, when some code is
> HTTP and some is HTTPS. And when something is HTTPS, but IE thinks it
> is HTTP
>
>
> > 2) Use Basic-auth over HTTP -- this sends name and password,
> > base-64-encoded.
> >
>
> Sorry, but it is very, very bad recommendation. You are afraid of
> cookie stealing and this is why you recommend to send name and
> password
> plaintext on each request. What for?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110709/d5d636df/attachment.htm>

More information about the erlang-questions mailing list