"Tickets" and XML-RPC authentication
Fredrik Lundh
fredrik at pythonware.com
Sun Jul 14 13:37:00 EDT 2002
Magnus Lie Hetland wrote:
> If I have only one server/service, and that service takes care of its
> own authentication (i.e. no Kerberos-like stuff), is there any point
> to using a ticket/cookie-based system?
>
> In other words, is there any point to doing this:
>
> ticket = server.authenticate('username', 'password')
> server.performService(ticket, some, other, params)
>
> rather than
>
> server.performService('username', 'password', some, other, params)
>
> ?
if you assume that a potential attacker sees everything you do
all the time, and don't care about performance and complexity,
no.
tickets can make both the client and the server simpler if you
want to associate lots of content with an XML-RPC "connection";
it allows you to distinguish between different clients using the same
username/password, it makes it easier to let "connections" expire,
etc.
(and Dave Winer would never think of doing things that way ;-)
and yes, if a potential attacker doesn't see everything, it may
even be a bit safer. why keep sending the password over and
over again, when you don't have to?
</F>
More information about the Python-list
mailing list