[erlang-questions] web authentication

[Jon Watte]

My three suggestions were intended to be used together. The HTTP protocol is
what defines Basic-Auth. The encapsulation into TLS is transparent to that
particular step. My apologies if this confused my recommendation.

Logging out can be accomplished by simply sending an "unauthenticated" HTTP
status code and a new Authenticate header that tells the client it needs new
credentials.

HTTP authentication is superior to cookie-based authentication in a number
of cases where the REST nature of the web allows for various kinds of
mash-ups. Cookie-based authentication really only works well when an
interactive user is using a mainline web browser to access your application.
Kind-of like using the flash player for your website: some designers think
nothing about it; others believe that it significantly reduces the value of
the site, at least long-term. Let your requirements decide.

Sincerely,

jw


--
Americans might object: there is no way we would sacrifice our living
standards for the benefit of people in the rest of the world. Nevertheless,
whether we get there willingly or not, we shall soon have lower consumption
rates, because our present rates are unsustainable.



On Mon, Jul 11, 2011 at 10:16 AM, Garrett Smith <g@REDACTED> wrote:

> On Fri, Jul 8, 2011 at 11:20 PM, Jon Watte <jwatte@REDACTED> wrote:
>
> > 2) Use Basic-auth over HTTP -- this sends name and password,
> > base-64-encoded.
>
> This is surely a typo. You can't say "HTTP" and expect people to read
> "HTTP + TLS".
>
> For simple web auth, I routinely use basic auth, but only ever over
> HTTPS. This doesn't work however if you need to control sessions or
> let users log out. It's just a quick and dirty way to control who can
> see what.
>
> Garrett
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110713/73b0291d/attachment.htm>