Date:         Thu, 13 Jun 2002 22:34:06 +0100
Reply-To:     "Z39.50 Next-Generation Initiative" <[log in to unmask]>
Sender:       "Z39.50 Next-Generation Initiative" <[log in to unmask]>
From:         Robert Sanderson <[log in to unmask]>
Subject:      Re: result set model for srw
Comments: To: "Z39.50 Next-Generation Initiative" <[log in to unmask]>
Comments: cc: [log in to unmask]
In-Reply-To:  <[log in to unmask]>
Content-Type: TEXT/PLAIN; charset=US-ASCII

> > > If we have (persistent) result set names, do we still need session ids?
> > Yes. Otherwise you could subvert other users' result sets as you don't
> > know who created it.

> By "subvert" I assume you're referring to spoofing?  (That is, I assume we're
> not concerned about ambiguity, since the server is assigning names.)  How does
> the session id help with that problem?

As I understand it, you should refuse requests on resultsets where the
session id is different from the one that created the result set.

So, session A creates a resultset called 'rs1'.  Session B, a rogue SOAP
DDOS attack, sends repeated delete resultset messages.  Without the
session id to distinguish A from B, if B sent delete 'rs1' then the server
would have to do it.

Welcome to the wonderful world of stateless connections :/

Rob

--
      ,'/:.          Rob Sanderson ([log in to unmask])
    ,'-/::::.        http://www.o-r-g.org/~azaroth/
  ,'--/::(@)::.      Special Collections and Archives, extension 3142
,'---/::::::::::.    Twin Cathedrals:  telnet: liverpool.o-r-g.org 7777
____/:::::::::::::.              WWW:  http://liverpool.o-r-g.org:8000/
I L L U M I N A T I