[Twisted-web] [Nevow] new chapter about authentication

Manlio Perillo manlio_perillo at libero.it
Mon Aug 7 03:16:12 CDT 2006


Jean-Paul Calderone ha scritto:
> On Sun, 06 Aug 2006 23:40:33 +0200, Manlio Perillo
> <manlio_perillo at libero.it> wrote:
>> Jean-Paul Calderone ha scritto:
>>> [...]
>>>
>>>> I have found an example that needs specialized (non authenticators)
>>>> sessions.
>>>>
>>>> Several e-commerce sites allow costumers to put items into a basket
>>>> even
>>>> if they are not authenticated.
>>>
>>> No.  This case is no different from any other.  Cred does not make
>>> anonymous users a special case: it deals with them in the same way
>>> it deals with all other users.
>>>
>>> Guard is entirely capable of providing a shopping cart to
>>> unauthenticated
>>> users.
>>>
>>
>> This is not the point.
>> The point is in having sessions that are not used for authentication.
>>
>> I have just finished to write a version of guard that *do not* use
>> sessions for anonymous users.
>>
>> This means that for dealing for an e-commerce application I have to
>> create a specialized session.
>> Hopefully I would like to do:
>>
>> def BasketSession(Session):
>>   def __init__(self, ...):
>>       Session.__init__(self, ...)
>>
>>       self.basket = []
>>
> 
> Feel free to do this, but it's not the recommended way to address this
> use case in twisted.web or Nevow.  The version of guard which is included
> in releases of either won't work this way, nor will the documentation
> recommend this approach.
> 

Yes.
And guard resolves the problem requiring that even anonymous users have
a session.

Guard is not only doing a not necessary thing (page with cookies can
have problems with cache, AFAIK) but this create a potential (very rare
indeed) security problem since an anonymous user gain a valid session ID
that can be "authenticated" by a valid user (session fixation).



Thanks and regards  Manlio Perillo




More information about the Twisted-web mailing list