|
dharana
dharana at dharana.net
Wed Jun 15 17:47:19 EDT 2005
To check against IP can be a burden for some users. If your users are behind a wall of load balanced proxies with different IP addresses (and/or network) they may find their sessions reloaded every two requests. I think it's better to leave it to the people implementing it to choose wether or not to take the risk. Dan Eloff wrote: > I was looking through the Session code and I found an omission that bothers me. > > In all the session mechanisms I've implemented in the past I have > always checked that the person resuming the session is at the same ip > as the person who created it. > > Anyone who gleans the session cookie (which is sent in plaintext on > every request) could pass themselves off as the original person. If > you check the ip you restrict this down from the entire internet to > only people on the same network, which makes it less likely to happen. > > Is there a reason for omitting this, something I don't understand maybe? > > -Dan > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python > > > -- dharana
|