Andrea Arcangeli wrote:
Because of subject, any data structure linked to the user is still visible to the webserver if the user explicitly types /__logout__ in the URL. That doesn't seem very safe behaviour.
The userdb/ in the example directory does this to workaround it:
def logout(self, request): request.getSession().expire() request.setComponent(iformless.IRedirectAfterPost, "/"+guard.LOGOUT_AVATAR)
but that workaround is insecure, since the user can type __logout__ by himself (if he knows the nevow code at least) and logout without clearing the session.
This problem would have caused a (very minor) security issue to me, but it might have more serious implications in other apps.
So I'd suggest to expire the session automatically in the __logout__ avatar so that a new fresh (anonymous) session will have to be allocated after logout.
As I understand it, that removes "too much state"; that is, you only asked to logout from this specific realm, where the same person could be logged into multiple Realms at the same time. Or something like that. When your Realm returns the 3-tuple (inevow.IResource, someResource, logout) that logout callback is called when you call guard's .logout() or visit __logout__ (or when the session expires). Clean up the state there. For instance, if your app-specific state is in session.setComponent(IMyAppState, state), and thus accessed with IMyAppState(inevow.ISession(ctx)), you can clean that with session.unsetComponent(IMyAppState). Things could be cleaner. That's mostly a matter of good docstrings, gentle API evolution, and examples. Things could be simpler. But the design inherits directly from twisted.cred, and that is up to glyph to defend (most like on the main twisted mailing list).