[mod_python] Question about Session security

Jim Gallacher jg.lists at sympatico.ca
Wed Jun 15 18:49:06 EDT 2005

Adrian Holovaty wrote:
> Nick wrote:
>>Jim Gallacher wrote:
>>>>You can use req.connection to find the users incoming IP address and
>>>>save that in the session yourself for later checking.
>>>>Ie., not a prepackaged check, but the bits are there for you to do it
>>>>yourself in the manner you need.
>>>Since I'm (still) messing with the session code, maybe this is worth
>>>building this into the base code now? If it is a security issue let's
>>>address it and save users the worry and bother of implementing their own.
> I'm not sure it's foolproof to assume a user's IP address will be the same 
> throughout a session. I seem to recall that AOL users have different IP 
> addresses throughout sessions, because the AOL proxies use some sort of 
> round-robin system.

Evidence is rapidly mounting that this is a bad idea, or at least 
difficult to implement in a dependable way.


More information about the Mod_python mailing list