[Twisted-Python] Re: cred and stateless protocols
Johann Borck
johann.borck at densedata.com
Sat May 6 10:14:17 MDT 2006
jarrod roberson wrote:
>
>
> On 5/5/06, *Nicola Larosa* <nico at teknico.net
> <mailto:nico at teknico.net>> wrote:
>
> > HTTP auth can also be used in such a way that the "session" is
> simply
> > the username that is being authenticated. nevow.guard attempts
> to make
> > the distinction between cookie-based and http-auth-based
> sessions simply
> > an implementation detail.
>
> Unfortunately they're functionally equivalent only as long as the same
> credentials are only used on one browser instance at the same
> time. If one
> user authenticates himself on two browsers with the same
> credentials, there
> can be two distinct cookie-based sessions, but only one http-auth
> based
> "session".
>
>
> that would be the case for a NAIVE cookie-based session.
>
> an intelligent session management implementation would track be able
> to tell from
> the auth request that the user had already started a session and just
> use that.
>
> this kind of thing is already been written by many people, the OP
> needs to just use
> something that already exists, session tracking code is not something
> you should be
> writting unless you are writing framework code or an app server.
>
> and since he is confusing / equating authenticaiton == sessions he
> lacks a fundemental
just interested,who do you refer to by "he"?
> understanding about security and authentication, authorization and
> stateful vs stateless semantics.
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Twisted-Python mailing list
>Twisted-Python at twistedmatrix.com
>http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
More information about the Twisted-Python
mailing list