[Twisted-web] Session Based Security for PyAmf application

Phil Mayers p.mayers at imperial.ac.uk
Tue Aug 19 05:20:59 EDT 2008


Shawn Church wrote:
> So what is the bottom line?  The standard Twisted session,  in the 
> t.w.server module,  creates a UID from a MD5 hash of a sequential number 
> + random().  This UID is stored in a cookie.  So is it is safe to store 
> a user data in the session object and assume that the correct user is 
> returned for a given request (assuming https is used and also assuming 
> that no one is hacking the cookies on the users computer)? 

"It depends".

We use that method, as do an awful lot of web service providers, and 
it's secure enough for our needs.

So, I would say "yes"

> 
> Well,  just as I finished typing the above I noticed that Phil Mayers 
> wrote a more detailed response.  I could set Digest auth via Flex but 
> what about twisted? I was trying to avoid twisted.web2 because my 
> understanding is that it is being phased out.

I was being a tiny bit speculative. However, twisted.web has recently 
acquired new http authentication infrastructure (as opposed to the 
form-based guard stuff already present) which can handle digest.

See:

http://twistedmatrix.com/trac/browser/trunk/doc/web/examples/webguard.py

...however, digest auth only gives you "session-like" capabilities if 
you're using the md5-sess algorithm, and the comments here:

http://twistedmatrix.com/trac/browser/trunk/twisted/web/_auth/digest.py#L26

...make me wonder if the "new" code does?




More information about the Twisted-web mailing list