[Twisted-Python] Re: cred and stateless protocols
Manlio Perillo
manlio_perillo at libero.it
Mon May 8 04:17:43 EDT 2006
jarrod roberson ha scritto:
> [...]
> I simply have seen an UDP protocol that uses sessions to identify each
> request.
> The session is obtained after an authentication phase.
>
>
> if the sesssion id never changes I am SURE you have seen an insecure UDP
> protocol
Of course, as the 90% of internet (as far as I have seen)..
> which means unless the client and server are generating dynamic single
> use tokens and "know" what the next valid session id the client should
> send, which implies encryption plus authenticaiton on every request.
>
> Since I think that the procedure is similar to HTTP session handling, I
> was asking if there is some reusable support for creating "secure"
> session id and if cred has some support for this.
>
>
>
> you still don't understand STATE != Authentication.
>
> ANYONE can sniff the packets, get whatever token or breadcrumb you are
> using for the state id and spoof it.
> that is unless you REQUIRE authentication on every request. "secure"
> session id's imply a form of authenticaiton on every request.
>
Ok, but this implies (with simple authentication scheme like HTTP) to
double the number of requests/reponses.
And what if the authentication protocol is more complex?
> you can't just "encrypt" a string and call it a "secure" session id.
>
But I can generate a "secure" session and use it for encrypt every
request/response.
Or, more simply, one can use SSL.
Unfortunately many web site not use SSL or use only HTTP Base
Authentication...
By the way:
for user tracking in UDP, why not just use the peer address?
Thanks and regards Manlio Perillo
More information about the Twisted-Python
mailing list