[Twisted-web] [Nevow] new chapter about authentication
Christopher Armstrong
radix at twistedmatrix.com
Mon Aug 7 09:31:32 CDT 2006
On 8/7/06, Manlio Perillo <manlio_perillo at libero.it> wrote:
>
> Jean-Paul Calderone ha scritto:
>
> > Feel free to do this, but it's not the recommended way to address this
> > use case in twisted.web or Nevow. The version of guard which is
> included
> > in releases of either won't work this way, nor will the documentation
> > recommend this approach.
> >
>
> Yes.
> And guard resolves the problem requiring that even anonymous users have
> a session.
This is true. However, I think you're very confused in thinking that this is
not necessary.
Guard is not only doing a not necessary thing (page with cookies can
> have problems with cache, AFAIK) but this create a potential (very rare
> indeed) security problem since an anonymous user gain a valid session ID
> that can be "authenticated" by a valid user (session fixation).
First: What "problems with cache" are you referring to?
How do you expect to be able to tell different anonymous users apart without
sessions and session IDs?
--
Christopher Armstrong
International Man of Twistery
http://radix.twistedmatrix.com/
http://twistedmatrix.com/
http://canonical.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20060807/38dd026f/attachment.htm
More information about the Twisted-web
mailing list