"Chris McDonough" <chrism@zope.com> writes:
This is annoying, of course, but it's not too bad yet.
Yes, it's annoying and because it can be made harder easily I recommend to do so. That's the thing I wanted to point out.
casually guess (19 characters, 8 of which are randomly generated), are there mitigatable risks which have a solution that doesn't depend on unchanging IP addresses that I'm overlooking?
It's very cost effective to integrate a hash and a secret: It does cost nearly nothing for you, the maintainer of CoreSessions and it really costs nothing besides a few CPU cycles for the sites using it. But it makes it *much* harder for potential attackers to go for a session id. So I think it should be done:) Of course you are right to tell the people not to rely on sessions for sensitive data. For that there should be an integrated solution to require SSL for sensitive pages/views. Regards, Frank -- CTO fte@Lightwerk.com http://www.Lightwerk.com/ Fax: +49-2434-80 07 94 Phone: +49-2434-80 07 81 Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany