[Twisted-web] [Nevow] new chapter about authentication
Manlio Perillo
manlio_perillo at libero.it
Mon Aug 7 10:29:15 CDT 2006
Christopher Armstrong ha scritto:
> [...]
> And guard resolves the problem requiring that even anonymous users have
> a session.
>
>
> This is true. However, I think you're very confused in thinking that
> this is not necessary.
This is possible, but someone has to explain me why they are needed.
>
> Guard is not only doing a not necessary thing (page with cookies can
> have problems with cache, AFAIK) but this create a potential (very rare
> indeed) security problem since an anonymous user gain a valid session ID
> that can be "authenticated" by a valid user (session fixation).
>
>
> First: What "problems with cache" are you referring to?
>
I still have to study how cache works, I have only read
http://www.mnot.net/cache_docs/
> How do you expect to be able to tell different anonymous users apart
> without sessions and session IDs?
>
And why should I do such a thing?
Really, maybe I'm missing something here, I'm not an expert.
Anonymous user simply access the web site without a state, since I do
not need to keep state for them (unless I ask explicitly for this - like
for an e-commerce basket).
If cookies are needed for anonymous users, at least create a new session
when the user authenticates and not just rease the old one.
Thanks and regards Manlio Perillo
More information about the Twisted-web
mailing list