Jean-Paul Calderone ha scritto: > On Sun, 06 Aug 2006 23:40:33 +0200, Manlio Perillo > <[EMAIL PROTECTED]> wrote: >> Jean-Paul Calderone ha scritto: >>> [...] >>> >>>> I have found an example that needs specialized (non authenticators) >>>> sessions. >>>> >>>> Several e-commerce sites allow costumers to put items into a basket >>>> even >>>> if they are not authenticated. >>> >>> No. This case is no different from any other. Cred does not make >>> anonymous users a special case: it deals with them in the same way >>> it deals with all other users. >>> >>> Guard is entirely capable of providing a shopping cart to >>> unauthenticated >>> users. >>> >> >> This is not the point. >> The point is in having sessions that are not used for authentication. >> >> I have just finished to write a version of guard that *do not* use >> sessions for anonymous users. >> >> This means that for dealing for an e-commerce application I have to >> create a specialized session. >> Hopefully I would like to do: >> >> def BasketSession(Session): >> def __init__(self, ...): >> Session.__init__(self, ...) >> >> self.basket = [] >> > > Feel free to do this, but it's not the recommended way to address this > use case in twisted.web or Nevow. The version of guard which is included > in releases of either won't work this way, nor will the documentation > recommend this approach. >
Yes. And guard resolves the problem requiring that even anonymous users have a session. Guard is not only doing a not necessary thing (page with cookies can have problems with cache, AFAIK) but this create a potential (very rare indeed) security problem since an anonymous user gain a valid session ID that can be "authenticated" by a valid user (session fixation). Thanks and regards Manlio Perillo _______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
