On 12/12/06, Benjamin Slavin <[EMAIL PROTECTED]> wrote: > Sessions are based on data passed from the client to the server. > Because this data can easily be forged, session impersonation is > possible. That's where picking hard-to-guess identifiers comes in. > If you have a secure random session ID, you can effectively rule-out > guessing, but you can't rule-out malicious behavior (such as browser > exploits). >
With sparse session keys, the only reasonable attack I can see is MITM or replay. And no fingerprinting based on the request will help that, since all the headers are in the clear. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
