[erlang-questions] web authentication
Joe Armstrong
erlang@REDACTED
Mon Jul 18 21:13:38 CEST 2011
I'm still following this thread with interest thanks for all the information.
It seems like there are two phases:
1) initial authentication
Here there is some kind of challenge/response interaction
If this succeeds the server sends a session cookie to the client.
2) Per-connection authentication.
If 1) has succeeded, the client sends the session cookie to the
in each new request. The sever uses this as a key into a database
if the database lookup matches the correct user then everything is ok
This has to be done ever time a new socket is opened.
My original question also asked about openId - can't I get google (or something)
to authenticate the user then do some kind of hand-over to me? If this
is the case then I wouldn't have to bother with the details of passwords myself
Cheers
/Joe
On Mon, Jul 18, 2011 at 6:22 PM, Tim Fletcher <mail@REDACTED> wrote:
>> Logging out can be accomplished by simply sending an "unauthenticated" HTTP
>> status code and a new Authenticate header that tells the client it needs new
>> credentials.
>
> Most browsers will cache HTTP Auth credentials until the end of the
> browser session, so although it looks like you've logged out, you'll
> often be able to get straight back in again without having to re-enter
> a password. This usability issue is more significant a problem than
> the overhead of SSL, IMO.
>
> An alternative to storing session data on the server is to use signed/
> encrypted cookies. Stefan Tilkov outlined a general approach for doing
> this, which you can use in any language:
>
> http://www.innoq.com/blog/st/2009/06/devoxx_08_rest_patterns_and_an.html
> (slide 44 of 71)
>
> - ask user for name and password if no cookie passed
> - authenticate user
> - create auth token as username + expiry date
> - hash(auth token + server secret)
> - return cookie as hash + auth_token
> - server validates with algorithm on in-memory data
>
> Hope that helps.
>
> Cheers,
> Tim
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
More information about the erlang-questions
mailing list