On 8/7/06, <b class="gmail_sendername">Manlio Perillo</b> <<a href="mailto:manlio_perillo@libero.it">manlio_perillo@libero.it</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Jean-Paul Calderone ha scritto:<br><br>> Feel free to do this, but it's not the recommended way to address this<br>> use case in twisted.web or Nevow. The version of guard which is included<br>> in releases of either won't work this way, nor will the documentation
<br>> recommend this approach.<br>><br><br>Yes.<br>And guard resolves the problem requiring that even anonymous users have<br>a session.</blockquote><div><br>This is true. However, I think you're very confused in thinking that this is not necessary.
<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Guard is not only doing a not necessary thing (page with cookies can<br>have problems with cache, AFAIK) but this create a potential (very rare
<br>indeed) security problem since an anonymous user gain a valid session ID<br>that can be "authenticated" by a valid user (session fixation).</blockquote><div><br>First: What "problems with cache" are you referring to?
<br><br>How do you expect to be able to tell different anonymous users apart without sessions and session IDs?<br><br></div></div>-- <br>Christopher Armstrong<br>International Man of Twistery<br><a href="http://radix.twistedmatrix.com/">
http://radix.twistedmatrix.com/</a><br><a href="http://twistedmatrix.com/">http://twistedmatrix.com/</a><br><a href="http://canonical.com/">http://canonical.com/</a><br>