> On Sep 17, 2014, at 23:40, Mike Orr <[email protected]> wrote: > >> On Wed, Sep 17, 2014 at 9:06 PM, Bert JW Regeer <[email protected]> wrote: >> Don’t tie it to the clients IP, you will come to regret it when your clients >> end up talking IPv6 with privacy addresses that change, or if they move from >> work to home with a laptop for instance, or are behind a corporate proxy >> that does load balancing across different outgoing IP's (I ran into this >> recently … that was a lot of fun!) > > I thought you were supposed to tie it to the IP to prevent somebody > else on a different IP from hijacking the session. If they can hijack the session they either have direct access to the users browser to read the cookie data or can read it from the network. In the first case, it's game over, in the second, use ssl to stop the sniffing. > Or is that obsolete > advice now that mobile devices tend to switch networks without > quitting the browser? > >> If you take my existing code... you’d be able to do what you proposed fairly >> easily. > > It would be great if I can do that. You offered it before and I looked > at 'pyramid_pluggable_sessions', but again it looked like serializing > to strings was tightly wired to the core, and spanning several parts > of the code and call-stack levels. Just there, and the deserialization a little higher up. Doesn't span much at all, would be simple to replace. Definitely doesn't span several parts of the code or call stack levels. > Also, it doesn't have a Redis > backend at all, so I'd have to write that. Yes, you would need to do that anyway to taken advantage of storing keys in redis rather than an "encoded blob". > > BTW, another complaint about 'pyramid_redis_sessions' is that it wants > to create its own Redis connection from the settings, even if you'd > rather share an existing connection from 'pyramid_redis' that you're > using for other things. The only concession to this is a generic > callback function that you could write it in. That's the other reason no redis plug exists right now. Writing a backend for this is so simple, couple lines of code and done, and means I don't need to deal with connection strings and all that fun stuff, more power to the user. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME cryptographic signature
