[Web-SIG] Session interface

Phillip J. Eby pje at telecommunity.com
Tue Aug 16 23:51:14 CEST 2005


At 05:06 PM 8/16/2005 -0400, mike bayer wrote:
>theres also security considerations regarding using only cookies without
>server side sessions.  For login tokens, if theres no corresponding
>server-side token to match up that it is in fact a current login and not
>something left over from a long-closed session, then some kind of clever
>encryption combined with time information must be used on the client-side
>token that can guarantee the login is recent and valid.

That's why I listed signed vs. unsigned data as one of the concerns that 
should be part of a client-side session API design.  You don't need 
encryption, btw, you just need a signature.  Signatures are easily done by 
using a hashing algorithm and a secret key.  And by easily done, I mean a 
few lines of Python.

Really the only "interesting" part of managing a hash-based signature is 
where to store the key such that all the server processes can access it, 
but it isn't part of your source code.  You can do that with a file on a 
single server, but for multiple servers it's back to the DB or else you 
need a way to push out configuration to the servers.  You also need key 
rotation such that your signatures indicate which key was used to sign 
them, so that people's keys don't suddenly stop working when you update 
your key.

OTOH, if you have a multi-server setup you probably already know about all 
these problems and have ways to deal with them.



More information about the Web-SIG mailing list