[Twisted-Python] Re: cred and stateless protocols

Johann Borck johann.borck at densedata.com
Sat May 6 10:14:17 MDT 2006


jarrod roberson wrote:

>
>
> On 5/5/06, *Nicola Larosa* <nico at teknico.net
> <mailto:nico at teknico.net>> wrote:
>
>     > HTTP auth can also be used in such a way that the "session" is
>     simply
>     > the username that is being authenticated.  nevow.guard attempts
>     to make
>     > the distinction between cookie-based and http-auth-based
>     sessions simply
>     > an implementation detail.
>
>     Unfortunately they're functionally equivalent only as long as the same
>     credentials are only used on one browser instance at the same
>     time. If one
>     user authenticates himself on two browsers with the same
>     credentials, there
>     can be two distinct cookie-based sessions, but only one http-auth
>     based
>     "session".
>
>
> that would be the case for a NAIVE cookie-based session.
>
> an intelligent session management implementation would track be able
> to tell from
> the auth request that the user had already started a session and just
> use that.
>
> this kind of thing is already been written by many people, the OP
> needs to just use
> something that already exists, session tracking code is not something
> you should be
> writting unless you are writing framework code or an app server.
>
> and since he is confusing / equating authenticaiton == sessions he
> lacks a fundemental

just interested,who do you refer to by "he"?

> understanding about security and authentication, authorization and
> stateful vs stateless semantics.
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Twisted-Python mailing list
>Twisted-Python at twistedmatrix.com
>http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>  
>





More information about the Twisted-Python mailing list