[mod_python] Question about Session security

dharana dharana at dharana.net
Wed Jun 15 17:47:19 EDT 2005

To check against IP can be a burden for some users. If your users are behind a 
wall of load balanced proxies with different IP addresses (and/or network) they 
may find their sessions reloaded every two requests.

I think it's better to leave it to the people implementing it to choose wether 
or not to take the risk.

Dan Eloff wrote:
> I was looking through the Session code and I found an omission that bothers me.
> In all the session mechanisms I've implemented in the past I have
> always checked that the person resuming the session is at the same ip
> as the person who created it.
> Anyone who gleans the session cookie (which is sent in plaintext on
> every request) could pass themselves off as the original person. If
> you check the ip you restrict this down from the entire internet to
> only people on the same network, which makes it less likely to happen.
> Is there a reason for omitting this, something I don't understand maybe?
> -Dan
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python


More information about the Mod_python mailing list