[erlang-questions] web authentication

Joe Armstrong erlang@REDACTED
Mon Jul 18 21:13:38 CEST 2011

I'm still following this thread with interest thanks for all the information.

It seems like there are two phases:

1) initial authentication
    Here there is some kind of challenge/response interaction
    If this succeeds the server sends a session cookie to the client.

2) Per-connection authentication.
    If 1) has succeeded, the client sends the session cookie to the
    in each new request. The sever uses this as a key into a database
    if the database lookup matches the correct user then everything is ok
    This has to be done ever time a new socket is opened.

My original question also asked about openId - can't I get google (or something)
to authenticate the user then do some kind of hand-over to me? If this
is the case then I wouldn't have to bother with the details of passwords myself



On Mon, Jul 18, 2011 at 6:22 PM, Tim Fletcher <mail@REDACTED> wrote:
>> Logging out can be accomplished by simply sending an "unauthenticated" HTTP
>> status code and a new Authenticate header that tells the client it needs new
>> credentials.
> Most browsers will cache HTTP Auth credentials until the end of the
> browser session, so although it looks like you've logged out, you'll
> often be able to get straight back in again without having to re-enter
> a password. This usability issue is more significant a problem than
> the overhead of SSL, IMO.
> An alternative to storing session data on the server is to use signed/
> encrypted cookies. Stefan Tilkov outlined a general approach for doing
> this, which you can use in any language:
>  http://www.innoq.com/blog/st/2009/06/devoxx_08_rest_patterns_and_an.html
> (slide 44 of 71)
>  - ask user for name and password if no cookie passed
>  - authenticate user
>  - create auth token as username + expiry date
>  - hash(auth token + server secret)
>  - return cookie as hash + auth_token
>  - server validates with algorithm on in-memory data
> Hope that helps.
> Cheers,
> Tim
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list