[mod_python] Question about Session security

Dan Eloff dan.eloff at gmail.com
Wed Jun 15 16:36:22 EDT 2005

I was looking through the Session code and I found an omission that bothers me.

In all the session mechanisms I've implemented in the past I have
always checked that the person resuming the session is at the same ip
as the person who created it.

Anyone who gleans the session cookie (which is sent in plaintext on
every request) could pass themselves off as the original person. If
you check the ip you restrict this down from the entire internet to
only people on the same network, which makes it less likely to happen.

Is there a reason for omitting this, something I don't understand maybe?


More information about the Mod_python mailing list