[Twisted-web] Session Based Security for PyAmf application

Phil Christensen phil at bubblehouse.org
Mon Aug 18 16:28:35 EDT 2008 

On Aug 18, 2008, at 4:07 PM, Shawn Church wrote:
> I want to store user data in t.w.s.Session to allow a persistent  
> logon.  As the login will be made with a PyAmf method call I do not  
> think that t.w.w.Guard will work because it appears to process the  
> login from POST data.   It is trivial to store the user data in the  
> session object with Request.getSession,  but is this a secure  
> method?  Could someone guess the session key and use it to forge  
> credentials?  Is there a better way to do this?

Whenever you're dealing with sessions over unencrypted HTTP, it it  
potentially possible to forge credentials. I don't know for sure  
whether guard checks the IP address of a request against the original  
one that created the session in the first place, but even that could  
technically be forged.

> The PyAmf examples send the username and password with every method  
> call.  I would prefer to use the session because the user can log-on  
> once for multiple windows/tabs.  The twisted PB security model seems  
> much more elegant then what is available for twisted.web.  Am I  
> missing something????


I know what you mean; there are a number of things I don't like about  
Nevow guard, although I have to say I haven't spent any time with  
twisted.web's guard, and I know there are some differences.

However, the only real difference between the PB and twisted.web  
security models is guard itself (versus the PB login() methods). They  
both use twisted.cred for dealing with authentication, which is an  
excellent implementation of a common requirement.

If you can get a decent familiarity with twisted.cred, you can  
implement just about any session mechanism you might like. For an  
example, you could check out my txOpenID project (https://launchpad.net/txopenid 
). In this case, I needed to handle sessions without adding redirects  
to the authentication flow, save session data in a relational  
database, and programmatically determine where to redirect an  
unauthenticated user.

My solution in this case was to create a superclass resource that all  
my authenticated resources would inherit from. This is almost  
definitely not the "Twisted way" to do this, but it works  
exceptionally well for my needs.

Hope this was some help,

-phil

More information about the Twisted-web mailing list