[mod_python] Question about Session security

Jim Gallacher jg.lists at sympatico.ca
Wed Jun 15 17:48:59 EDT 2005

Jim Gallacher wrote:
> Graham Dumpleton wrote:
>> On 16/06/2005, at 6:36 AM, Dan Eloff wrote:
>>> I was looking through the Session code and I found an omission that 
>>> bothers me.
>>> In all the session mechanisms I've implemented in the past I have
>>> always checked that the person resuming the session is at the same ip
>>> as the person who created it.
>>> Anyone who gleans the session cookie (which is sent in plaintext on
>>> every request) could pass themselves off as the original person. If
>>> you check the ip you restrict this down from the entire internet to
>>> only people on the same network, which makes it less likely to happen.
>>> Is there a reason for omitting this, something I don't understand maybe?
>> You can use req.connection to find the users incoming IP address and
>> save that in the session yourself for later checking.
>> Ie., not a prepackaged check, but the bits are there for you to do it
>> yourself in the manner you need.
> Since I'm (still) messing with the session code, maybe this is worth 
> building this into the base code now? If it is a security issue let's 
> address it and save users the worry and bother of implementing their own.

Oh and another thing that's always bother me just a little - md5 
collisions of the generated session id's. I know the probability of a 
collision is extremely low, but it is finite. Checking an existing 
session against the ip would eliminate any chance of a collision (I think).


More information about the Mod_python mailing list