[Twisted-Python] Re: cred and stateless protocols
jarrod roberson
jarrod at vertigrated.com
Sat May 6 09:09:17 MDT 2006
On 5/5/06, Nicola Larosa <nico at teknico.net> wrote:
>
> > HTTP auth can also be used in such a way that the "session" is simply
> > the username that is being authenticated. nevow.guard attempts to make
> > the distinction between cookie-based and http-auth-based sessions simply
> > an implementation detail.
>
> Unfortunately they're functionally equivalent only as long as the same
> credentials are only used on one browser instance at the same time. If one
> user authenticates himself on two browsers with the same credentials,
> there
> can be two distinct cookie-based sessions, but only one http-auth based
> "session".
>
that would be the case for a NAIVE cookie-based session.
an intelligent session management implementation would track be able to tell
from
the auth request that the user had already started a session and just use
that.
this kind of thing is already been written by many people, the OP needs to
just use
something that already exists, session tracking code is not something you
should be
writting unless you are writing framework code or an app server.
and since he is confusing / equating authenticaiton == sessions he lacks a
fundemental
understanding about security and authentication, authorization and stateful
vs stateless semantics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20060506/afcf2143/attachment.html>
More information about the Twisted-Python
mailing list