[ZODB-Dev] SecureServerStorage and SecureClientStorage

[Guido van Rossum]

> 2. It's authenticated per connection id (storage_id). I don't know if
> this is optimal. Isn't it possible that an attacker can send bogus
> connection ids and access the storage unauthenticated (this is only
> possible under a few microsecond on a relatively fast machine, since
> it's dropped just after it's checked).

Since you do this by overriding register(), you should be safe.  As
long as register() hasn't been called the ZEOStorage instance doesn't
have a storage attached to it -- individual requests do not specify
the storage id.

--Guido van Rossum (home page: http://www.python.org/~guido/)