I suppose I could implement something like this (encode the IP address into the token) and provide a knob to turn it on and off on the id manager. I'm not going to do this for the first iteration, I need to get it working first. :-) Steve Spicklemire wrote:
I forget now where I saw this.... but one of the session managers I looked at once checked the IP address of the visitor to make sure it was the same for the entire session, or longer. This at least makes it much harder to hijack a session, even though it means that long-lived cookies might be fooled as a user gets a new dynamic IP address...
-steve
"Chris" == Chris McDonough <chrism@digicool.com> writes:
Chris> Session tokens, AFAICT, cannot be secured. They can only Chris> be obfuscated, which mitigates the risk that they will be Chris> guessed. However, there's no way to completely secure Chris> them, no matter how many MD5 hashing algorithms you run on Chris> them. If a session token is stolen, that's the key that Chris> the "attacker" needs to visit the website "as you". I've Chris> addressed this in the implementation by giving the session Chris> token a random element, and this mitigates a guessing Chris> attack, but not a theft attack.
-- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org