Yes, the fact that AOL customers have their ip addresses change every couple minutes is really annoying ... although, the first 3 parts of a 4-part ip address remains the same even for AOL customers, so you can do a partial ip-check for everyone.
On Feb 18, 2008 4:35 PM, Ben Bangert <[EMAIL PROTECTED]> wrote: > On Feb 17, 2008, at 3:59 AM, Leo wrote: > > > So, subj. > > If someone steals the session id from cookies, will he be able to use > > it? > > As with every other website out there.... yes. Only using IP-based > restrictions will help, but there's still quite a few people behind > proxies, though nowhere near as many since ppl appear to be bailing on > AOL finally. I have it on my todo list to add IP restrictions to > sessions, but I should mention that ppl can hijack Google sessions as > easily as any others, and they do. > > Generally, if you care a lot about security, use separate 'secure- > only' cookies on SSL for sections that are critical, and just a more > basic, less secure cookie for the rest of the site (assuming there is > a less secure section to the site). > > Cheers, > Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
