Security of HTTP based authentication
alex at digriz.org.uk
Thu Jan 13 19:29:33 GMT 2011
Zbigniew Lukasiak <zzbbyy at gmail.com> wrote:
> To add some more context to my question - I am now analyzing what kind
> of authentication models I should support - that is write some
> exploratory code to check that they are more or less easily realizable
> - in WebNano. So what I am looking for are the more universal ways.
> But I am also thinking about what I should use in Nblog - to make it a
> finished product.
> After your reply and some more research I think I'll settle with the 3
> levels model:
> 1. HTTP without auth
> 2. HTTP with auth
> 3. HTTPS with auth
> At level 2 someone could also implement additional checks - like
> including from time to time an empty image via HTTPS to auth the
> unencrypted session with the secure cookie, tie the session to IP,
> etc. - but for now I just want to get the overall model right.
*Never* tie to an IP...there are proxy servers out there:
Also, what stops me coming to you over IPv4...then IPv6, and then back
to IPv4? Worth noting my IPv6 address also varies over time...
> You wrote that you don't send images via HTTP on a HTTPS page - what
> are the reasons for that?
HTTPS is only slow during the initial handshake, transferring the actual
encrypted data is *fast*. If you have some el-fango web 2.0-mcwhatsit
website with ajax and god knows what else, that's a lot of new HTTP(S)
sessions that need to be fired off. HTTP pipelining should help but you
will have to twiddle your fingers until web browsers support SCTP.
I personally would just HTTPS *everything*, the solution is in making
your website cache friendly.
By default, iirc, web browsers will not cache anything SSLed; means
everytime you refresh the page, thats a lot of new HTTPS sessions being
fired up potentially and lots of redownloading...very slow. If you use
HTTP headers to instruct web browsers to cache heavily, you will find
initially your website is slow, but then very nippy.
 although often day one you only care about authentication, then
later you decide you want encryption everywhere
.sigmonster says: No Canadian coins.
More information about the london.pm