[Twisted-web] Session Based Security for PyAmf application

Shawn Church shawn at schurchcomputers.com
Tue Aug 19 03:40:50 EDT 2008 

So what is the bottom line?  The standard Twisted session,  in the
t.w.server module,  creates a UID from a MD5 hash of a sequential number +
random().  This UID is stored in a cookie.  So is it is safe to store a user
data in the session object and assume that the correct user is returned for
a given request (assuming https is used and also assuming that no one is
hacking the cookies on the users computer)?

Well,  just as I finished typing the above I noticed that Phil Mayers wrote
a more detailed response.  I could set Digest auth via Flex but what about
twisted? I was trying to avoid twisted.web2 because my understanding is that
it is being phased out.

On Mon, Aug 18, 2008 at 5:46 PM, Tristan Seligmann
<mithrandi at mithrandi.net>wrote:

> * Phil Christensen <phil at bubblehouse.org> [2008-08-18 18:44:29 -0400]:
>
> > On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote:
> >>> potentially possible to forge credentials. I don't know for sure
> >>> whether guard checks the IP address of a request against the
> >>> original one that created the session in the first place, but even
> >>> that could technically be forged.
> >>
> >> Caches.
> >
> > My first guess is that you're referring to caching proxies. I don't
> > really see how this is an issue, since there's a host of problems you'll
> > run into if a misbehaving caching proxy is aggressively caching dynamic
> > content.
> >
> > Or perhaps the issue you're raising is that there exists a security
> > issue in that if you are behind a proxy, anyone else behind that proxy
> > could hijack your session even if the web app session code is checking
> > the client's IP.
>
> There's also the reverse problem; proxying of requests (or hosts moving
> between networks even without proxies) can cause multiple requests in
> the same session to come from different IP addresses, thus implementing
> this "security measure" will break a significant number of clients, and
> is probably a bad idea (since it is also ineffectual).
> --
> mithrandi, i Ainil en-Balandor, a faer Ambar
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkiqF8gACgkQpNuXDQIV94rznQCfWQIcZ92qTeZyw14WuogX1GSM
> Gw4Anj4dzZ2d/Qhba9vIVfgLruLZ7ZAW
> =3DGX/n
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Twisted-web mailing list
> Twisted-web at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20080819/65=
b672a0/attachment.htm

More information about the Twisted-web mailing list