On Jan 8, 2008, at 11:09 AM, alex clemesha wrote: > On Jan 8, 2008 1:46 AM, Robert Bradshaw > <[EMAIL PROTECTED]> wrote: > Hey Alex, > > Hi Robert, > >> I'm stumped by some of the twisted notebook code. Specifically, if >> the login form is set to POST instead of GET it redirects login/ > > You are definitely going to want the login form to always be a POST > not a GET, > so that the credentials are sent as post-data, not as GET url > parameters.
Yes, the login form should always be POST, but here I do want to use GET parameters. Specifically, when the server starts up, it can provide a URL with a one-time authentication token in the URL it pops up. Since, in our case, users are often starting up their own servers this will be really handy (and not a security risk, because they could just do reset=True anyways. >> This slash is particularly annoying. >> In what case is this causing a problem? >> >> Is there any way to >> >> 1) have it not redirect to login/ > > > the path 'login' is required to be there for the authentication to > work > (you could change it to some other name, but then you would have to > change other code) login is fine, login redirecting to login/ is causing the error. >> or 2) set the session cookie path (to '/') > > You can always set the cookie path to whatever you want when you > initially send it (right after login) through the 'set-cookie' http > header. I wasn't able to figure out where, exactly, set-cookie was getting called. It seemed to be called somewhere in the bowels of the twisted cred module, and I didn't know how to access it. This would be perfect, if it works. >> I bet you have similar issues knoboo. > > > I have definitely made some improvements in Knoboo to the > authentication > code since it was first put into the Sage notebook. > > One major issue that still exists in the Sage notebook has to do > with login and is *a security issue*: > > It is necessary to do a redirect after 'login' (which is a POST), > to a GET > such that the post-data is not stored in the browser. This is an > important issue > because *after logout the username/password remains in the browser* > and all > someone else has to do to login with the last person's credentials > is to hit > the back-button and then refresh the page. (Try it yourself) > > The solution to this problem is called the 'post-redirect-get > method' (see google for more info) > and besides be needed for security, I think it might solve the > above problems > that you are facing. Thanks for your response, and, we should look into this issue too. - Robert --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
