[Twisted-web] [Nevow] new chapter about authentication

Christopher Armstrong radix at twistedmatrix.com
Mon Aug 7 09:31:32 CDT 2006

On 8/7/06, Manlio Perillo <manlio_perillo at libero.it> wrote:
> Jean-Paul Calderone ha scritto:
> > Feel free to do this, but it's not the recommended way to address this
> > use case in twisted.web or Nevow.  The version of guard which is
> included
> > in releases of either won't work this way, nor will the documentation
> > recommend this approach.
> >
> Yes.
> And guard resolves the problem requiring that even anonymous users have
> a session.

This is true. However, I think you're very confused in thinking that this is
not necessary.

Guard is not only doing a not necessary thing (page with cookies can
> have problems with cache, AFAIK) but this create a potential (very rare
> indeed) security problem since an anonymous user gain a valid session ID
> that can be "authenticated" by a valid user (session fixation).

First: What "problems with cache" are you referring to?

How do you expect to be able to tell different anonymous users apart without
sessions and session IDs?

Christopher Armstrong
International Man of Twistery
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20060807/38dd026f/attachment.htm

More information about the Twisted-web mailing list