|
Jim Gallacher
jg.lists at sympatico.ca
Wed Jun 15 17:41:42 EDT 2005
Graham Dumpleton wrote: > On 16/06/2005, at 6:36 AM, Dan Eloff wrote: > >> I was looking through the Session code and I found an omission that >> bothers me. >> >> In all the session mechanisms I've implemented in the past I have >> always checked that the person resuming the session is at the same ip >> as the person who created it. >> >> Anyone who gleans the session cookie (which is sent in plaintext on >> every request) could pass themselves off as the original person. If >> you check the ip you restrict this down from the entire internet to >> only people on the same network, which makes it less likely to happen. >> >> Is there a reason for omitting this, something I don't understand maybe? > > > You can use req.connection to find the users incoming IP address and > save that in the session yourself for later checking. > > Ie., not a prepackaged check, but the bits are there for you to do it > yourself in the manner you need. Since I'm (still) messing with the session code, maybe this is worth building this into the base code now? If it is a security issue let's address it and save users the worry and bother of implementing their own. Jim
|