[Twisted-web] Session Based Security for PyAmf application

Shawn Church shawn at schurchcomputers.com
Mon Aug 18 16:07:30 EDT 2008


I want to store user data in t.w.s.Session to allow a persistent logon.  As
the login will be made with a PyAmf method call I do not think that
t.w.w.Guard will work because it appears to process the login from POST
data.   It is trivial to store the user data in the session object with
Request.getSession,  but is this a secure method?  Could someone guess the
session key and use it to forge credentials?  Is there a better way to do
this?

The PyAmf examples send the username and password with every method call.  I
would prefer to use the session because the user can log-on once for
multiple windows/tabs.  The twisted PB security model seems much more
elegant then what is available for twisted.web.  Am I missing something????

Thanks in advance and once again thank you for the fantastic work on
twisted.

Shawn Church
I/S Consultant
Shawn At SCchurchComputers.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20080818/c8=
0da95b/attachment.htm


More information about the Twisted-web mailing list