[Twisted-web] [Nevow] new chapter about authentication
radix at twistedmatrix.com
Mon Aug 7 09:31:32 CDT 2006
On 8/7/06, Manlio Perillo <manlio_perillo at libero.it> wrote:
> Jean-Paul Calderone ha scritto:
> > Feel free to do this, but it's not the recommended way to address this
> > use case in twisted.web or Nevow. The version of guard which is
> > in releases of either won't work this way, nor will the documentation
> > recommend this approach.
> And guard resolves the problem requiring that even anonymous users have
> a session.
This is true. However, I think you're very confused in thinking that this is
Guard is not only doing a not necessary thing (page with cookies can
> have problems with cache, AFAIK) but this create a potential (very rare
> indeed) security problem since an anonymous user gain a valid session ID
> that can be "authenticated" by a valid user (session fixation).
First: What "problems with cache" are you referring to?
How do you expect to be able to tell different anonymous users apart without
sessions and session IDs?
International Man of Twistery
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-web