[Twisted-Python] Re: cred and stateless protocols

jarrod roberson jarrod at vertigrated.com
Sun May 7 16:25:31 EDT 2006


On 5/6/06, Manlio Perillo <manlio_perillo at libero.it> wrote:
>
> jarrod roberson ha scritto:
> > [...]
> >
> > an intelligent session management implementation would track be able to
> > tell from
> > the auth request that the user had already started a session and just
> > use that.
> >
> > this kind of thing is already been written by many people, the OP needs
> > to just use
> > something that already exists, session tracking code is not something
> > you should be
> > writting unless you are writing framework code or an app server.
> >
> > and since he is confusing
>
> Yes, I wrongly use the term REST protocol in place of UDP connections.
>
> / equating authenticaiton == sessions he lacks
>
> Not really.
>
> I simply have seen an UDP protocol that uses sessions to identify each
> request.
> The session is obtained after an authentication phase.


if the sesssion id never changes I am SURE you have seen an insecure UDP
protocol
which means unless the client and server are generating dynamic single use
tokens and "know" what the next valid session id the client should send,
which implies encryption plus authenticaiton on every request.

Since I think that the procedure is similar to HTTP session handling, I
> was asking if there is some reusable support for creating "secure"
> session id and if cred has some support for this.



you still don't understand STATE != Authentication.

ANYONE can sniff the packets, get whatever token or breadcrumb you are using
for the state id and spoof it.
that is unless you REQUIRE authentication on every request. "secure" session
id's imply a form of authenticaiton on every request.

you can't just "encrypt" a string and call it a "secure" session id.

you can have UNSECURE STATE tracking with out Authentication on every
request, using server side sessions is just one way to do it.

you can NOT have SECURE STATE tracking without some form of authetenication
on every request, that authentication might be "implied" by some encryption
process, but it is still a form of authentication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20060507/bfc431aa/attachment.htm 


More information about the Twisted-Python mailing list