[vmchecker-dev] web services specification revised

[Claudiu-Dan Gheorghe]

> Ahhh. I think I've got it. I've only stored the username in a cookie, I didn't save a 'state' on the server. But I guess this is very unsecure :S (I did smth like this [0]). So basically I will have to store a sessionId in a cookie, and on the server to save the username associated with that sessionId. Right? Ok. I'll see how I will do this in mod_python.

You don't need to handle session id manually. The session object from
mod_python does this for you, as far as I know. You can check the code
from here hwchecker[1], a project began by me and Stefan Bucur in
which we wanted to implement the GUI for vmchecker as a separate
project.

>
> ps. To hack this thing is equivalent to guessing a currently used session id, right? Which is undeniably much much secure. :D

Yes, indeed the session id can make opportunities for a replication
attack, but I think this id is a hash that mixtures various
information including the user agent, source ip, and so on. This
depends on how the session management is implemented underneath.
Anyway, for now we can rely on this since security concerns are not a
priority.

> I still don't get what you want to replace with this service. Why does the browser want to know if the client is authenticated? (When do you use this service?)

This is useful in the first step of loading the application. We must
decide what should we display: the application content (if it was
previously authenticated) or the login screen (if it is not
authenticated).

[1] http://code.google.com/p/hwchecker/source/browse/trunk/server/index.py

-- 
Claudiu