[erlang-questions] web authentication

[Tim Fletcher]

> Logging out can be accomplished by simply sending an "unauthenticated" HTTP
> status code and a new Authenticate header that tells the client it needs new
> credentials.

Most browsers will cache HTTP Auth credentials until the end of the
browser session, so although it looks like you've logged out, you'll
often be able to get straight back in again without having to re-enter
a password. This usability issue is more significant a problem than
the overhead of SSL, IMO.

An alternative to storing session data on the server is to use signed/
encrypted cookies. Stefan Tilkov outlined a general approach for doing
this, which you can use in any language:

  http://www.innoq.com/blog/st/2009/06/devoxx_08_rest_patterns_and_an.html
(slide 44 of 71)

  - ask user for name and password if no cookie passed
  - authenticate user
  - create auth token as username + expiry date
  - hash(auth token + server secret)
  - return cookie as hash + auth_token
  - server validates with algorithm on in-memory data

Hope that helps.

Cheers,
Tim