On Feb 18, 2008 4:35 PM, Ben Bangert <[EMAIL PROTECTED]> wrote: > On Feb 17, 2008, at 3:59 AM, Leo wrote: > > > So, subj. > > If someone steals the session id from cookies, will he be able to use > > it? > > As with every other website out there.... yes. Only using IP-based > restrictions will help, but there's still quite a few people behind > proxies, though nowhere near as many since ppl appear to be bailing on > AOL finally. I have it on my todo list to add IP restrictions to > sessions, but I should mention that ppl can hijack Google sessions as > easily as any others, and they do. > > Generally, if you care a lot about security, use separate 'secure- > only' cookies on SSL for sections that are critical, and just a more > basic, less secure cookie for the rest of the site (assuming there is > a less secure section to the site).
I change IP addresses all of the time e.g. work, home, cafe wireless, 3G wireless card, etc. If I had to re-login to all of the web apps I use any time I open my laptop it would be pretty annoying. We don't really have this problem because we use SSL for any part of our app that has a login cookie, so it's non-trivial to sniff cookies. -bob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
