Thanks, Massimo. Very thorough. Especially the part about multiple sessions
going on for same user. Hadn't considered that. Cheers!
On Monday, September 16, 2013 2:20:57 PM UTC+8, weheh wrote:
>
> How secure is session? I'm considering 2 methods for downloading a file:
> The first is via an A('Download', _href=URL('download', 'file',
> args=[file_id])). The second would be to have session.file_id = file_id and
> then have only A('Download', _href=URL('download', 'file')), which causes
> the app to get the file_id from session.
>
> Assuming my app is bullet proof and only allows permitted users to access
> their accessible file_ids, then wouldn't the use of session in the second
> case be more secure because the file_id is never publicly exposed, and
> thereby hackable?
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
