Christopher Armstrong ha scritto: > [...] > And guard resolves the problem requiring that even anonymous users have > a session. > > > This is true. However, I think you're very confused in thinking that > this is not necessary.
This is possible, but someone has to explain me why they are needed. > > Guard is not only doing a not necessary thing (page with cookies can > have problems with cache, AFAIK) but this create a potential (very rare > indeed) security problem since an anonymous user gain a valid session ID > that can be "authenticated" by a valid user (session fixation). > > > First: What "problems with cache" are you referring to? > I still have to study how cache works, I have only read http://www.mnot.net/cache_docs/ > How do you expect to be able to tell different anonymous users apart > without sessions and session IDs? > And why should I do such a thing? Really, maybe I'm missing something here, I'm not an expert. Anonymous user simply access the web site without a state, since I do not need to keep state for them (unless I ask explicitly for this - like for an e-commerce basket). If cookies are needed for anonymous users, at least create a new session when the user authenticates and not just rease the old one. Thanks and regards Manlio Perillo _______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
