Security of HTTP based authentication

Alexander Clouter alex at
Thu Jan 13 19:29:33 GMT 2011

Zbigniew Lukasiak <zzbbyy at> wrote:
> To add some more context to my question - I am now analyzing what kind
> of authentication models I should support - that is write some
> exploratory code to check that they are more or less easily realizable
> - in WebNano.  So what I am looking for are the more universal ways.
> But I am also thinking about what I should use in Nblog - to make it a
> finished product.
> After your reply and some more research I think I'll settle with the 3
> levels model:
> 1. HTTP without auth
> 2. HTTP with auth
> 3. HTTPS with auth
> At level 2 someone could also implement additional checks - like
> including from time to time an empty image via HTTPS to auth the
> unencrypted session with the secure cookie, tie the session to IP,
> etc. - but for now I just want to get the overall model right.
*Never* tie to an IP...there are proxy servers out there:

Also, what stops me coming to you over IPv4...then IPv6, and then back 
to IPv4?  Worth noting my IPv6 address also varies over time...

> You wrote that you don't send images via HTTP on a HTTPS page - what
> are the reasons for that?
HTTPS is only slow during the initial handshake, transferring the actual 
encrypted data is *fast*.  If you have some el-fango web 2.0-mcwhatsit 
website with ajax and god knows what else, that's a lot of new HTTP(S) 
sessions that need to be fired off.  HTTP pipelining should help but you 
will have to twiddle your fingers until web browsers support SCTP.

I personally would just HTTPS *everything*, the solution is in making 
your website cache friendly.

By default, iirc, web browsers will not cache anything SSLed; means 
everytime you refresh the page, thats a lot of new HTTPS sessions being 
fired up potentially and lots of redownloading...very slow.  If you use 
HTTP headers to instruct web browsers to cache heavily, you will find 
initially your website is slow, but then very nippy.


[1] although often day one you only care about authentication, then 
	later you decide you want encryption everywhere

Alexander Clouter
.sigmonster says: No Canadian coins.

More information about the mailing list