Michael, I really don't know how would it be possible, I only know the following: 1. My production web server restarts a few times per day. Sometimes twice (in a really short period ie 2-3 minutes) 2. I got a report from _new_ user that he received e-mail with login and pass, clicked to link and became logged in as another user without login and pass entering. Our auth is based on putting user_id in the session so new user must have a new clean session without any data. Any other ideas how he could be logged in as another user, except of session duplicate ? 3. After that report I cleaned django_session table so all existing sessions should be immediately expired. After this I got one more report from another user who said that he used to work in his app (was logged in), then somehow he became another logged in user. I opened logs and found that these users logged in to the system at the same time.
And one more thing about ip checking: ok, I agree about network sniffing (but there still is a possibility that sniffering was run after i logged in so attacker could not see my pass but he see my session id :) ). But please don't forget that session cookies may also be stolen via XSS. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
