[Twisted-web] Session Based Security for PyAmf application
shawn at schurchcomputers.com
Mon Aug 18 17:02:24 EDT 2008
I'm using https so encryption is not an issue (although there are no plans
to use verisign or any other third-party service to validate the IP
address. The application is for in-house use and will not be publically
accessible so this should not be an issue).
Thank you for the reference to txOpenID, I will download and plunder it for
On Mon, Aug 18, 2008 at 1:28 PM, Phil Christensen <phil at bubblehouse.org>wro=
> On Aug 18, 2008, at 4:07 PM, Shawn Church wrote:
>> I want to store user data in t.w.s.Session to allow a persistent logon.
>> As the login will be made with a PyAmf method call I do not think that
>> t.w.w.Guard will work because it appears to process the login from POST
>> data. It is trivial to store the user data in the session object with
>> Request.getSession, but is this a secure method? Could someone guess t=
>> session key and use it to forge credentials? Is there a better way to do
> Whenever you're dealing with sessions over unencrypted HTTP, it it
> potentially possible to forge credentials. I don't know for sure whether
> guard checks the IP address of a request against the original one that
> created the session in the first place, but even that could technically be
> The PyAmf examples send the username and password with every method call.
>> I would prefer to use the session because the user can log-on once for
>> multiple windows/tabs. The twisted PB security model seems much more
>> elegant then what is available for twisted.web. Am I missing something?=
> I know what you mean; there are a number of things I don't like about Nev=
> guard, although I have to say I haven't spent any time with twisted.web's
> guard, and I know there are some differences.
> However, the only real difference between the PB and twisted.web security
> models is guard itself (versus the PB login() methods). They both use
> twisted.cred for dealing with authentication, which is an excellent
> implementation of a common requirement.
> If you can get a decent familiarity with twisted.cred, you can implement
> just about any session mechanism you might like. For an example, you could
> check out my txOpenID project (https://launchpad.net/txopenid). In this
> case, I needed to handle sessions without adding redirects to the
> authentication flow, save session data in a relational database, and
> programmatically determine where to redirect an unauthenticated user.
> My solution in this case was to create a superclass resource that all my
> authenticated resources would inherit from. This is almost definitely not
> the "Twisted way" to do this, but it works exceptionally well for my need=
> Hope this was some help,
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-web