Bob Ippolito wrote: > On Feb 18, 2008 4:35 PM, Ben Bangert <[EMAIL PROTECTED]> wrote: > >> On Feb 17, 2008, at 3:59 AM, Leo wrote: >> >> >>> So, subj. >>> If someone steals the session id from cookies, will he be able to use >>> it? >>> >> As with every other website out there.... yes. Only using IP-based >> restrictions will help, but there's still quite a few people behind >> proxies, though nowhere near as many since ppl appear to be bailing on >> AOL finally. I have it on my todo list to add IP restrictions to >> sessions, but I should mention that ppl can hijack Google sessions as >> easily as any others, and they do. >> >> Generally, if you care a lot about security, use separate 'secure- >> only' cookies on SSL for sections that are critical, and just a more >> basic, less secure cookie for the rest of the site (assuming there is >> a less secure section to the site). >> > > I change IP addresses all of the time e.g. work, home, cafe wireless, > 3G wireless card, etc. If I had to re-login to all of the web apps I > use any time I open my laptop it would be pretty annoying. > > We don't really have this problem because we use SSL for any part of > our app that has a login cookie, so it's non-trivial to sniff cookies. > > I know this is a generic web application issue, but isn't the session id cookie always sent with every request ? (whether it is SSL or not ?)
What do you mean by login cookie ? just curious. Thanks huy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
