[mod_python] Question about Session security

Graham Dumpleton grahamd at dscpl.com.au
Wed Jun 15 17:25:28 EDT 2005

On 16/06/2005, at 6:36 AM, Dan Eloff wrote:

> I was looking through the Session code and I found an omission that 
> bothers me.
> In all the session mechanisms I've implemented in the past I have
> always checked that the person resuming the session is at the same ip
> as the person who created it.
> Anyone who gleans the session cookie (which is sent in plaintext on
> every request) could pass themselves off as the original person. If
> you check the ip you restrict this down from the entire internet to
> only people on the same network, which makes it less likely to happen.
> Is there a reason for omitting this, something I don't understand 
> maybe?

You can use req.connection to find the users incoming IP address and
save that in the session yourself for later checking.

Ie., not a prepackaged check, but the bits are there for you to do it
yourself in the manner you need.


More information about the Mod_python mailing list