"Tickets" and XML-RPC authentication
Magnus Lie Hetland
mlh at vier.idi.ntnu.no
Mon Jul 15 17:05:53 EDT 2002
In article <0FiY8.16023$p56.5181944 at newsb.telia.net>, Fredrik Lundh wrote:
>Magnus Lie Hetland wrote:
>
>> If I have only one server/service, and that service takes care of its
>> own authentication (i.e. no Kerberos-like stuff), is there any point
>> to using a ticket/cookie-based system?
>>
>> In other words, is there any point to doing this:
>>
>> ticket = server.authenticate('username', 'password')
>> server.performService(ticket, some, other, params)
>>
>> rather than
>>
>> server.performService('username', 'password', some, other, params)
>>
>> ?
>
>if you assume that a potential attacker sees everything you do
>all the time, and don't care about performance and complexity,
>no.
Well, I do care about complexity... Not sure if the performance boost
here is something I care too much about, though ;)
As for attackers listening in -- I guess you mean that I might want to
have one secure (ssl) login-call, and then do the rest in the open?
I'm not completely sure why I then wouldn't want to wrapp it all in a
secure connection...
>tickets can make both the client and the server simpler if you
>want to associate lots of content with an XML-RPC "connection";
I see -- session handling, more or less.
>it allows you to distinguish between different clients using the same
>username/password, it makes it easier to let "connections" expire,
>etc.
Yes.
The API complexity and session handling were the two things I was able
to think of...
>(and Dave Winer would never think of doing things that way ;-)
Eh... OK...? :-]
>and yes, if a potential attacker doesn't see everything, it may
>even be a bit safer. why keep sending the password over and
>over again, when you don't have to?
Hm. Good point.
></F>
--
Magnus Lie Hetland The Anygui Project
http://hetland.org http://anygui.org
More information about the Python-list
mailing list