[Twisted-web] [Nevow] new chapter about authentication

Manlio Perillo manlio_perillo at libero.it
Mon Aug 7 10:29:15 CDT 2006


Christopher Armstrong ha scritto:
> [...]
>     And guard resolves the problem requiring that even anonymous users have
>     a session.
> 
> 
> This is true. However, I think you're very confused in thinking that
> this is not necessary.

This is possible, but someone has to explain me why they are needed.

> 
>     Guard is not only doing a not necessary thing (page with cookies can
>     have problems with cache, AFAIK) but this create a potential (very rare
>     indeed) security problem since an anonymous user gain a valid session ID
>     that can be "authenticated" by a valid user (session fixation).
> 
> 
> First: What "problems with cache" are you referring to?
> 

I still have to study how cache works, I have only read
http://www.mnot.net/cache_docs/


> How do you expect to be able to tell different anonymous users apart
> without sessions and session IDs?
> 

And why should I do such a thing?
Really, maybe I'm missing something here, I'm not an expert.

Anonymous user simply access the web site without a state, since I do
not need to keep state for them (unless I ask explicitly for this - like
for an e-commerce basket).


If cookies are needed for anonymous users, at least create a new session
when the user authenticates and not just rease the old one.



Thanks and regards  Manlio Perillo



More information about the Twisted-web mailing list