[Twisted-web] [Nevow] about new guard in sandbox

Manlio Perillo manlio_perillo at libero.it
Thu Aug 3 04:12:17 CDT 2006 

Valentino Volonghi aka Dialtone ha scritto:
> On Tue, 01 Aug 2006 21:05:15 +0200, Manlio Perillo
> <manlio_perillo at libero.it> wrote:
>> And what's the problem?
>> Hopefully you are not going to reboot the server every week, and users
>> can always relogin.
> 
> I as a user _HATE_ when I lose my session just because the developers
> rebooted the application. I even hate when the browser loses the session
> between restarts. You might also be browsing the website when suddenly
> you are logged out because of a restart.
> 

But in this case your solution does not always works.
The user can have a transient session.

> [...]

>> I don't want (still) to use guard because there are a lot of things that
>> I do not understand.
> 
> Why are you using Nevow or Twisted at all then? Even _I_ do not
> understand completely what Nevow does with the context in its
> internals... guard (even in its current shape) is much less complicated
> than the whole context business.
> 
>> Like support for multiple portals, setResourceForPortal and so.
> 
> This has nothing to do with guard. I suggest reading the cred tutorial
> from twisted.
> 

setResourceForPortal is actually very trivial ;-)
It just store the resource on the session object.

The problem is with multiple portals support: any examples?



Some considerations
-------------------

Now I think to understand why Guard store a session for anonymous users.
For cred point of view anonymous user is just like an ordinary user.

Since Guard store resources on the session object, it needs to create
sessions for anonymous users.

However this poses a security problem (session fixation).

The anonymous user is registered with the Credentials Checker in the
same way as an ordinary user.
However the credentials checker can handle this case specially;
as an example it does not require to access a database for a
DatabasePasswordDB.

This means that resources for anonymous users can not be stored on
sessions, requiring a new login to the portal and no need for sessions
at all.

Only ordinary users resources can/should be stored on the session.

This also means that the guard implementation in the sanbox (as is)
**does** not needs to create sessions for anonymous users.


What we need is to run some benchmarks:
1) access to a simple resource
2) access to a guard protected resource
3) access to a guard draft (in Valentino sandox) protected resource

Tests 2 and 3 should be repeated for a Credentials Checker that simulate
an access to a time consuming resource to authenticate users.



Thanks and regards  Manlio Perillo

More information about the Twisted-web mailing list