So what is the bottom line? The standard Twisted session, in the t.w.server module, creates a UID from a MD5 hash of a sequential number + random(). This UID is stored in a cookie. So is it is safe to store a user data in the session object and assume that the correct user is returned for a given request (assuming https is used and also assuming that no one is hacking the cookies on the users computer)?
Well, just as I finished typing the above I noticed that Phil Mayers wrote a more detailed response. I could set Digest auth via Flex but what about twisted? I was trying to avoid twisted.web2 because my understanding is that it is being phased out. On Mon, Aug 18, 2008 at 5:46 PM, Tristan Seligmann <[EMAIL PROTECTED]>wrote: > * Phil Christensen <[EMAIL PROTECTED]> [2008-08-18 18:44:29 -0400]: > > > On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote: > >>> potentially possible to forge credentials. I don't know for sure > >>> whether guard checks the IP address of a request against the > >>> original one that created the session in the first place, but even > >>> that could technically be forged. > >> > >> Caches. > > > > My first guess is that you're referring to caching proxies. I don't > > really see how this is an issue, since there's a host of problems you'll > > run into if a misbehaving caching proxy is aggressively caching dynamic > > content. > > > > Or perhaps the issue you're raising is that there exists a security > > issue in that if you are behind a proxy, anyone else behind that proxy > > could hijack your session even if the web app session code is checking > > the client's IP. > > There's also the reverse problem; proxying of requests (or hosts moving > between networks even without proxies) can cause multiple requests in > the same session to come from different IP addresses, thus implementing > this "security measure" will break a significant number of clients, and > is probably a bad idea (since it is also ineffectual). > -- > mithrandi, i Ainil en-Balandor, a faer Ambar > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (GNU/Linux) > > iEYEARECAAYFAkiqF8gACgkQpNuXDQIV94rznQCfWQIcZ92qTeZyw14WuogX1GSM > Gw4Anj4dzZ2d/Qhba9vIVfgLruLZ7ZAW > =GX/n > -----END PGP SIGNATURE----- > > _______________________________________________ > Twisted-web mailing list > [email protected] > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web > >
_______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
