[mod_python] Question about Session security

Jim Gallacher jg.lists at sympatico.ca
Wed Jun 15 17:41:42 EDT 2005

Graham Dumpleton wrote:
> On 16/06/2005, at 6:36 AM, Dan Eloff wrote:
>> I was looking through the Session code and I found an omission that 
>> bothers me.
>> In all the session mechanisms I've implemented in the past I have
>> always checked that the person resuming the session is at the same ip
>> as the person who created it.
>> Anyone who gleans the session cookie (which is sent in plaintext on
>> every request) could pass themselves off as the original person. If
>> you check the ip you restrict this down from the entire internet to
>> only people on the same network, which makes it less likely to happen.
>> Is there a reason for omitting this, something I don't understand maybe?
> You can use req.connection to find the users incoming IP address and
> save that in the session yourself for later checking.
> Ie., not a prepackaged check, but the bits are there for you to do it
> yourself in the manner you need.

Since I'm (still) messing with the session code, maybe this is worth 
building this into the base code now? If it is a security issue let's 
address it and save users the worry and bother of implementing their own.


More information about the Mod_python mailing list