[Twisted-web] Session Based Security for PyAmf application

Phil Christensen phil at bubblehouse.org
Mon Aug 18 18:44:29 EDT 2008

On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote:
>> potentially possible to forge credentials. I don't know for sure  
>> whether guard checks the IP address of a request against the  
>> original one that created the session in the first place, but even  
>> that could technically be forged.
> Caches.

My first guess is that you're referring to caching proxies. I don't  
really see how this is an issue, since there's a host of problems  
you'll run into if a misbehaving caching proxy is aggressively  
caching dynamic content.

Or perhaps the issue you're raising is that there exists a security  
issue in that if you are behind a proxy, anyone else behind that  
proxy could hijack your session even if the web app session code is  
checking the client's IP.

But, you know, I'm not so skilled at the whole brevity thing ;-)...


More information about the Twisted-web mailing list