[Twisted-web] [Nevow] new chapter about authentication
Manlio Perillo
manlio_perillo at libero.it
Mon Aug 7 03:16:12 CDT 2006
Jean-Paul Calderone ha scritto:
> On Sun, 06 Aug 2006 23:40:33 +0200, Manlio Perillo
> <manlio_perillo at libero.it> wrote:
>> Jean-Paul Calderone ha scritto:
>>> [...]
>>>
>>>> I have found an example that needs specialized (non authenticators)
>>>> sessions.
>>>>
>>>> Several e-commerce sites allow costumers to put items into a basket
>>>> even
>>>> if they are not authenticated.
>>>
>>> No. This case is no different from any other. Cred does not make
>>> anonymous users a special case: it deals with them in the same way
>>> it deals with all other users.
>>>
>>> Guard is entirely capable of providing a shopping cart to
>>> unauthenticated
>>> users.
>>>
>>
>> This is not the point.
>> The point is in having sessions that are not used for authentication.
>>
>> I have just finished to write a version of guard that *do not* use
>> sessions for anonymous users.
>>
>> This means that for dealing for an e-commerce application I have to
>> create a specialized session.
>> Hopefully I would like to do:
>>
>> def BasketSession(Session):
>> def __init__(self, ...):
>> Session.__init__(self, ...)
>>
>> self.basket = []
>>
>
> Feel free to do this, but it's not the recommended way to address this
> use case in twisted.web or Nevow. The version of guard which is included
> in releases of either won't work this way, nor will the documentation
> recommend this approach.
>
Yes.
And guard resolves the problem requiring that even anonymous users have
a session.
Guard is not only doing a not necessary thing (page with cookies can
have problems with cache, AFAIK) but this create a potential (very rare
indeed) security problem since an anonymous user gain a valid session ID
that can be "authenticated" by a valid user (session fixation).
Thanks and regards Manlio Perillo
More information about the Twisted-web
mailing list