[erlang-questions] web authentication
Mon Jul 18 21:13:38 CEST 2011
I'm still following this thread with interest thanks for all the information.
It seems like there are two phases:
1) initial authentication
Here there is some kind of challenge/response interaction
If this succeeds the server sends a session cookie to the client.
2) Per-connection authentication.
If 1) has succeeded, the client sends the session cookie to the
in each new request. The sever uses this as a key into a database
if the database lookup matches the correct user then everything is ok
This has to be done ever time a new socket is opened.
My original question also asked about openId - can't I get google (or something)
to authenticate the user then do some kind of hand-over to me? If this
is the case then I wouldn't have to bother with the details of passwords myself
On Mon, Jul 18, 2011 at 6:22 PM, Tim Fletcher <mail@REDACTED> wrote:
>> Logging out can be accomplished by simply sending an "unauthenticated" HTTP
>> status code and a new Authenticate header that tells the client it needs new
> Most browsers will cache HTTP Auth credentials until the end of the
> browser session, so although it looks like you've logged out, you'll
> often be able to get straight back in again without having to re-enter
> a password. This usability issue is more significant a problem than
> the overhead of SSL, IMO.
> An alternative to storing session data on the server is to use signed/
> encrypted cookies. Stefan Tilkov outlined a general approach for doing
> this, which you can use in any language:
> (slide 44 of 71)
> - ask user for name and password if no cookie passed
> - authenticate user
> - create auth token as username + expiry date
> - hash(auth token + server secret)
> - return cookie as hash + auth_token
> - server validates with algorithm on in-memory data
> Hope that helps.
> erlang-questions mailing list
More information about the erlang-questions