On Sun, Feb 17, 2008 at 03:59:02AM -0800, Leo wrote: > If someone steals the session id from cookies, will he be able to use > it?
Yes. But guessing alone is hard because the user has to guess a valid session ID. And Pylons makes it extra-hard because half of the session ID is crypted with the secret key you define in your development.ini. Stealing it is much worse. That could be made less bad if Beaker would allow to match a certain cookie only with a certain IP address. I can't find any hint in the Beaker documentation regarding such a feature. But you could implement that yourself application-wise by checking the REMOTE_ADDR from the WSGI environment (the IP address of the client - unless you use a reverse proxy) and store the IP address in the session. Christoph -- [EMAIL PROTECTED] www.workaround.org JID: [EMAIL PROTECTED] gpg key: 79CC6586 fingerprint: 9B26F48E6F2B0A3F7E33E6B7095E77C579CC6586 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
