[Twisted-web] Session Based Security for PyAmf application
Phil Christensen
phil at bubblehouse.org
Mon Aug 18 18:44:29 EDT 2008
On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote:
>> potentially possible to forge credentials. I don't know for sure
>> whether guard checks the IP address of a request against the
>> original one that created the session in the first place, but even
>> that could technically be forged.
>
> Caches.
My first guess is that you're referring to caching proxies. I don't
really see how this is an issue, since there's a host of problems
you'll run into if a misbehaving caching proxy is aggressively
caching dynamic content.
Or perhaps the issue you're raising is that there exists a security
issue in that if you are behind a proxy, anyone else behind that
proxy could hijack your session even if the web app session code is
checking the client's IP.
But, you know, I'm not so skilled at the whole brevity thing ;-)...
-phil
More information about the Twisted-web
mailing list