[Zope-dev] Re: CoreSessionTracking proposal

[Chris McDonough]

I suppose I could implement something like this (encode the IP address
into the token) and provide a knob to turn it on and off on the id
manager.  I'm not going to do this for the first iteration, I need to
get it working first.  :-)

Steve Spicklemire wrote:
> 
> I forget now where I saw this.... but one of the session managers I looked
> at once checked the IP address of the visitor to make sure it was the
> same for the entire session, or longer. This at least makes it much harder
> to hijack a session, even though it means that long-lived cookies might
> be fooled as a user gets a new dynamic IP address...
> 
> -steve
> 
> >>>>> "Chris" == Chris McDonough <chrism@digicool.com> writes:
> 
>     Chris> Session tokens, AFAICT, cannot be secured.  They can only
>     Chris> be obfuscated, which mitigates the risk that they will be
>     Chris> guessed.  However, there's no way to completely secure
>     Chris> them, no matter how many MD5 hashing algorithms you run on
>     Chris> them.  If a session token is stolen, that's the key that
>     Chris> the "attacker" needs to visit the website "as you".  I've
>     Chris> addressed this in the implementation by giving the session
>     Chris> token a random element, and this mitigates a guessing
>     Chris> attack, but not a theft attack.

-- 
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org