Shawn Church wrote:
So what is the bottom line? The standard Twisted session, in the
t.w.server module, creates a UID from a MD5 hash of a sequential number
+ random(). This UID is stored in a cookie. So is it is safe to store
a user data in the session object and assume that the correct user is
returned for a given request (assuming https is used and also assuming
that no one is hacking the cookies on the users computer)?
"It depends".
We use that method, as do an awful lot of web service providers, and
it's secure enough for our needs.
So, I would say "yes"
Well, just as I finished typing the above I noticed that Phil Mayers
wrote a more detailed response. I could set Digest auth via Flex but
what about twisted? I was trying to avoid twisted.web2 because my
understanding is that it is being phased out.
I was being a tiny bit speculative. However, twisted.web has recently
acquired new http authentication infrastructure (as opposed to the
form-based guard stuff already present) which can handle digest.
See:
http://twistedmatrix.com/trac/browser/trunk/doc/web/examples/webguard.py
...however, digest auth only gives you "session-like" capabilities if
you're using the md5-sess algorithm, and the comments here:
http://twistedmatrix.com/trac/browser/trunk/twisted/web/_auth/digest.py#L26
...make me wonder if the "new" code does?
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
