[Twisted-web] [Nevow] new chapter about authentication

Valentino Volonghi aka Dialtone dialtone at divmod.com
Fri Aug 4 05:13:57 CDT 2006

On Fri, 04 Aug 2006 09:56:16 +0200, Manlio Perillo <manlio_perillo at libero.it> wrote:
>1) The client ask to change the password
>2) The application ask the old password and the new one
>3) do the query:
>   UPDATE Accounts SET password=md5(:new_password)
>   WHERE password=md5(:old_password)
>The application developers can forget to invalidate the "old" session.

I remember you said the problem was stealing the password. I can't see how this is going to allow stealing the old password.
If you don't want an attacker to take control of the session of another user then use HTTPs.

>Ok, but sessions cannot exists without cookies (or other solutions to
>keep state beetwen successive requests).

this is an HTTP problem and of its stateless nature.

>The problem is that "GuardSession" are not simply session!
>They allow an user who only know the session ID to authenticate into a

The problem of ALL the session systems. If you want to avoid this use HTTPs.

>So this means that the development of new guard is goind to happen in
>Nevow and *then* ported to web2?

Yes, unless web2 discovers a new and wonderful way to deal with this problem.

>You can need to initialize some state in your Session.
>class ICounter(Interface):
>   pass
>class CounterSession(Session):
>	def __init__(self):
>		self.count = 0
>sc = SessionManager.getSession(ICounter)

>I can now use this simple session to limit logins attemps.

This usecase is not a very good example of why it is a good idea.
But I think it may be required for OpenID and similar mechanisms.

>Well, of course an attacker will not use cookies at all...
>But I can bind the session to the source IP address, using this value as
>session key
>(at least I would like to send an email to the site admin when having
>100 logins attemps from the same IP address).

I can't think of this feature in a pluggable way. If you want it just code it in your Session object. It's fairly easy to do.
>> This is not enough reason anyway. You have to explain why it is a bad idea.
>I don't like the idea to have "authentication only" sessions.
>SessionManager (and CookieFactory) is a general class that should not
>live in guard.

Any _technical_ reason? importing a module and getting only the objects you
need from it doesn't sound so bad to me.

More information about the Twisted-web mailing list