[Twisted-Python] Re: cred and stateless protocols

jarrod roberson jarrod at vertigrated.com
Mon May 8 12:34:51 MDT 2006


On 5/8/06, Manlio Perillo <manlio_perillo at libero.it> wrote:
>
> jarrod roberson ha scritto:
> > [...]
> >     I simply have seen an UDP protocol that uses sessions to identify
> each
> >     request.
> >     The session is obtained after an authentication phase.
> >
> >
> > if the sesssion id never changes I am SURE you have seen an insecure UDP
> > protocol
>
> Of course, as the 90% of internet (as far as I have seen)..
>
> > which means unless the client and server are generating dynamic single
> > use tokens and "know" what the next valid session id the client should
> > send, which implies encryption plus authenticaiton on every request.
> >
> >     Since I think that the procedure is similar to HTTP session
> handling, I
> >     was asking if there is some reusable support for creating "secure"
> >     session id and if cred has some support for this.
> >
> >
> >
> > you still don't understand STATE != Authentication.
> >
> > ANYONE can sniff the packets, get whatever token or breadcrumb you are
> > using for the state id and spoof it.
> > that is unless you REQUIRE authentication on every request. "secure"
> > session id's imply a form of authenticaiton on every request.
> >
>
> Ok, but this implies (with simple authentication scheme like HTTP) to
> double the number of requests/reponses.
>
> And what if the authentication protocol is more complex?
>
>
you can send "premetive" authentication in the REQUEST headers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20060508/d71c7aa5/attachment.html>


More information about the Twisted-Python mailing list