|
Graham Dumpleton
grahamd at dscpl.com.au
Wed Jun 15 17:25:28 EDT 2005
On 16/06/2005, at 6:36 AM, Dan Eloff wrote: > I was looking through the Session code and I found an omission that > bothers me. > > In all the session mechanisms I've implemented in the past I have > always checked that the person resuming the session is at the same ip > as the person who created it. > > Anyone who gleans the session cookie (which is sent in plaintext on > every request) could pass themselves off as the original person. If > you check the ip you restrict this down from the entire internet to > only people on the same network, which makes it less likely to happen. > > Is there a reason for omitting this, something I don't understand > maybe? You can use req.connection to find the users incoming IP address and save that in the session yourself for later checking. Ie., not a prepackaged check, but the bits are there for you to do it yourself in the manner you need. Graham
|