[Authentication] Problem: Multiple sessions per application
Michael Leupold
lemma at confuego.org
Tue Aug 18 14:19:36 PDT 2009
Am Montag, 17. August 2009 04:17:35 schrieb Stef Walter:
> Michael Leupold wrote:
> > Am Sonntag, 16. August 2009 22:30:30 schrieb Stef Walter:
> >> Here's a problem in a certain corner case with the way we've specified
> >> sessions. I can't see an easy fix for it.
> >>
> >> In the current secrets API, a session is used for two things:
> >>
> >> * Negotiating transport encryption of secrets.
> >> * Tracking what has been unlocked.
>
> I've been thinking about this further, and the above two things are
> unrelated. The second, really has nothing to do with the session at all.
>
> Rather than starting off our secrets API with obvious deficiencies, I'd
> like to give a shot at solving this properly. I'm sure there'll be
> enough deficiencies found after we standardize the API, without ignoring
> ones found at this stage :)
>
> Attached is a patch which does the following:
>
> * Move all secrets access to the Session object. This is not as strange
> as it sounds. We'd have GetSecret, SetSecret and GetSecrets methods.
> * RetrieveSecrets is removed from the Service object, and is replaced
> by GetSecrets on the Session object.
> * Move the various authenticate methods from the Session object to the
> Service object.
>
> This models better what we're actually trying to accomplish. The session
> has to do with accessing secrets, and the authentication stuff works far
> better on the Service object.
>
> The only way to get/set a secret is via session. Which simplifies things
> significantly, both in implementation, and doesn't limit the callers
> like the old API did.
>
> The upshot of these changes, is that it's no longer a problem for an
> application (or DBus caller) to have multiple sessions.
I'm perfectly fine with that. But I guess then the locking/unlocking stuff
should be moved to session as well (so it can be associated with a session),
specifically:
- Service.BeginAuthenticate
- Service.CompleteAuthenticate
- Service.Authenticated
If that stays in Service I don't see a way to keep track of what's unlocked
per session.
Regards,
Michael
More information about the Authentication
mailing list