|
Dan Eloff
dan.eloff at gmail.com
Wed Jun 15 16:36:22 EDT 2005
I was looking through the Session code and I found an omission that bothers me. In all the session mechanisms I've implemented in the past I have always checked that the person resuming the session is at the same ip as the person who created it. Anyone who gleans the session cookie (which is sent in plaintext on every request) could pass themselves off as the original person. If you check the ip you restrict this down from the entire internet to only people on the same network, which makes it less likely to happen. Is there a reason for omitting this, something I don't understand maybe? -Dan
|