Hi Stefan,
On 29 oct. 2010, at 09:34, Stefan Andersson wrote:
> Hej Jean Baptiste,
>
> >> There are a few interesting things with session id:
> >> 1. monitor a continous session from an identified ip
> >wow, I think linking IP and session is very dangerous. I won't do that.
>
> It is done on the server side so this is no wow. It is never revealed to the
> outside world.
>
I think there might be a wording problem : after reading your email, I'm not
sure what you call a session is a JEE session but might be more a concept you
implemented in your system that look like to be higher level than JEE session.
If session is a JEE session, I feel dangerous (or at least meaningless) to link
the client IP and that JEE session.
> >> 2. authentication
> >OK, we're using session only for that.
>
> If you do, then all activities (calls) enclosed by the authentication session
> is a session!!!
Our JEE session contain only authentication info and in the future, I'm looking
for other technical way to ensure authentication so I can get ride of JEE
session and be fully stateless.
RPC calls are not "enclosed" in session. An authentication filter handle
authentication (currently using session) and the request never reach RPC if not
authenticated.
Doing so in a independent filter make RPC services fully independent of
authentication : pure business.
>
> >I try hard to maintain our server as stateless as possible for a future load
> >balancing.
>
> If it would be possible, but only without authentication it is true.
> Authentication needs the session to
> know that the user has been authenticated and still is logged in to be
> allowed to call different functions.
Exactly. JEE session is only needed for authentication and the only state we
have is authenticated or not.
>
> >> 3. increased security
> >> a) session cookies -> easy to break
> >I didn't know that, could you explain ?
>
> It can be stolen from the client or it can be tampered unencrypted during
> transfer from server. It is a
> one-time thing happening for a session.
>
OK
> >> b) jsessionid sent as a parameter -> securer and more difficult to tamper
> >Why would is be more secure ? I don't see how ...
>
> You can, if you want, create a dynamic change of the session id. It means
> that the id sent from server to client
> changes and is more difficult to tamper. It can also be encrypted. A little
> bit more difficult to break. At least
> not wide open doors!
>
OK but new jsessionid imply new JEE session and you'll have to transfer content
of old session to new one, interesting idea since JEE session contain only one
very small object.
[CUT]
>
> >I hope this clarify that parameter injection and the design of our contrib.
>
> As I have the expertise in Java I do understand it, but the manual you have
> is too difficult to understand.
> RpcJavaPojo is a good contribution. We tested it yesterday night again. It is
> at least about 25% faster than
> RpcJava and the integration is cleaner and better than RpcJava based on
> already existing infrastructure.
> Can I suggest you to make a better manual of your contribution and clarify
> with better examples? Then
> I think people might be more interested to use it.
>
I fully agree but just don't have time for that manual (currently, there is no
manual but only few introductory words).
I took me ages before I was able to publish the contrib, we have lots of works
but as a very small company it is all critical to survive, so the writing of
the manual for the community if very low priority :-)
We still have other possible contribution and I hope we'll be able to
contribute more and take more time for better documentation but first we have
to ensure our own survival.
> Stefan
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev_______________________________________________
> qooxdoo-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
