[Twisted-web] Session Based Security for PyAmf application

Shawn Church shawn at schurchcomputers.com
Mon Aug 18 17:02:24 EDT 2008


I'm using https so encryption is not an issue (although there are no plans
to use verisign or any other third-party service to validate the IP
address.  The application is for in-house use and will not be publically
accessible so this should not be an issue).

Thank you for the reference to txOpenID,  I will download and plunder it for
ideas.
On Mon, Aug 18, 2008 at 1:28 PM, Phil Christensen <phil at bubblehouse.org>wro=
te:

> On Aug 18, 2008, at 4:07 PM, Shawn Church wrote:
>
>> I want to store user data in t.w.s.Session to allow a persistent logon.
>>  As the login will be made with a PyAmf method call I do not think that
>> t.w.w.Guard will work because it appears to process the login from POST
>> data.   It is trivial to store the user data in the session object with
>> Request.getSession,  but is this a secure method?  Could someone guess t=
he
>> session key and use it to forge credentials?  Is there a better way to do
>> this?
>>
>
> Whenever you're dealing with sessions over unencrypted HTTP, it it
> potentially possible to forge credentials. I don't know for sure whether
> guard checks the IP address of a request against the original one that
> created the session in the first place, but even that could technically be
> forged.
>
>  The PyAmf examples send the username and password with every method call.
>>  I would prefer to use the session because the user can log-on once for
>> multiple windows/tabs.  The twisted PB security model seems much more
>> elegant then what is available for twisted.web.  Am I missing something?=
???
>>
>
>
> I know what you mean; there are a number of things I don't like about Nev=
ow
> guard, although I have to say I haven't spent any time with twisted.web's
> guard, and I know there are some differences.
>
> However, the only real difference between the PB and twisted.web security
> models is guard itself (versus the PB login() methods). They both use
> twisted.cred for dealing with authentication, which is an excellent
> implementation of a common requirement.
>
> If you can get a decent familiarity with twisted.cred, you can implement
> just about any session mechanism you might like. For an example, you could
> check out my txOpenID project (https://launchpad.net/txopenid). In this
> case, I needed to handle sessions without adding redirects to the
> authentication flow, save session data in a relational database, and
> programmatically determine where to redirect an unauthenticated user.
>
> My solution in this case was to create a superclass resource that all my
> authenticated resources would inherit from. This is almost definitely not
> the "Twisted way" to do this, but it works exceptionally well for my need=
s.
>
> Hope this was some help,
>
> -phil
>
> _______________________________________________
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20080818/4b=
ca9198/attachment.htm


More information about the Twisted-web mailing list