[Twisted-web] [Nevow] new chapter about authentication
Valentino Volonghi aka Dialtone
dialtone at divmod.com
Fri Aug 4 05:13:57 CDT 2006
On Fri, 04 Aug 2006 09:56:16 +0200, Manlio Perillo <manlio_perillo at libero.it> wrote:
>1) The client ask to change the password
>2) The application ask the old password and the new one
>3) do the query:
> UPDATE Accounts SET password=md5(:new_password)
> WHERE password=md5(:old_password)
>
>The application developers can forget to invalidate the "old" session.
I remember you said the problem was stealing the password. I can't see how this is going to allow stealing the old password.
If you don't want an attacker to take control of the session of another user then use HTTPs.
>Ok, but sessions cannot exists without cookies (or other solutions to
>keep state beetwen successive requests).
this is an HTTP problem and of its stateless nature.
>The problem is that "GuardSession" are not simply session!
>They allow an user who only know the session ID to authenticate into a
>system.
The problem of ALL the session systems. If you want to avoid this use HTTPs.
>Ok.
>So this means that the development of new guard is goind to happen in
>Nevow and *then* ported to web2?
Yes, unless web2 discovers a new and wonderful way to deal with this problem.
>You can need to initialize some state in your Session.
>class ICounter(Interface):
> pass
>
>class CounterSession(Session):
> def __init__(self):
> self.count = 0
>
>
>sc = SessionManager.getSession(ICounter)
>I can now use this simple session to limit logins attemps.
This usecase is not a very good example of why it is a good idea.
But I think it may be required for OpenID and similar mechanisms.
>Well, of course an attacker will not use cookies at all...
>But I can bind the session to the source IP address, using this value as
>session key
>(at least I would like to send an email to the site admin when having
>100 logins attemps from the same IP address).
I can't think of this feature in a pluggable way. If you want it just code it in your Session object. It's fairly easy to do.
>> This is not enough reason anyway. You have to explain why it is a bad idea.
>>
>
>I don't like the idea to have "authentication only" sessions.
>SessionManager (and CookieFactory) is a general class that should not
>live in guard.
Any _technical_ reason? importing a module and getting only the objects you
need from it doesn't sound so bad to me.
More information about the Twisted-web
mailing list