[Twisted-web] Session Based Security for PyAmf application
shawn at schurchcomputers.com
Tue Aug 19 03:40:50 EDT 2008
So what is the bottom line? The standard Twisted session, in the
t.w.server module, creates a UID from a MD5 hash of a sequential number +
random(). This UID is stored in a cookie. So is it is safe to store a user
data in the session object and assume that the correct user is returned for
a given request (assuming https is used and also assuming that no one is
hacking the cookies on the users computer)?
Well, just as I finished typing the above I noticed that Phil Mayers wrote
a more detailed response. I could set Digest auth via Flex but what about
twisted? I was trying to avoid twisted.web2 because my understanding is that
it is being phased out.
On Mon, Aug 18, 2008 at 5:46 PM, Tristan Seligmann
<mithrandi at mithrandi.net>wrote:
> * Phil Christensen <phil at bubblehouse.org> [2008-08-18 18:44:29 -0400]:
> > On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote:
> >>> potentially possible to forge credentials. I don't know for sure
> >>> whether guard checks the IP address of a request against the
> >>> original one that created the session in the first place, but even
> >>> that could technically be forged.
> >> Caches.
> > My first guess is that you're referring to caching proxies. I don't
> > really see how this is an issue, since there's a host of problems you'll
> > run into if a misbehaving caching proxy is aggressively caching dynamic
> > content.
> > Or perhaps the issue you're raising is that there exists a security
> > issue in that if you are behind a proxy, anyone else behind that proxy
> > could hijack your session even if the web app session code is checking
> > the client's IP.
> There's also the reverse problem; proxying of requests (or hosts moving
> between networks even without proxies) can cause multiple requests in
> the same session to come from different IP addresses, thus implementing
> this "security measure" will break a significant number of clients, and
> is probably a bad idea (since it is also ineffectual).
> mithrandi, i Ainil en-Balandor, a faer Ambar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-web