that's why the whole thing goes away behind SSL. Expiring a session on logout is better than leaving it as it is, but even in that case while userA is logged in there's NO way to prevent a MITM from someone else.
On Saturday, October 18, 2014 12:18:30 AM UTC+2, Anthony wrote: > > On Friday, October 17, 2014 5:51:18 PM UTC-4, Dave S wrote: >> >> >> >> On Friday, October 17, 2014 1:15:39 PM UTC-7, Anthony wrote: >> >>> I was simply pointing out that sessions do not technically expire on the >>> server side. The browser expires sessions by ceasing to return the session >>> cookie. If an attacker steals the cookie and keeps sending it, then the >>> server does nothing to expire the session. However, Auth logins can expire, >>> but that is a different matter. >>> >>> >> What's the model for an attacker stealing a cookie? Does it require >> access to the user's machine, or would a man-in-the-middle attack (with a >> wild proxy, for instance) work? >> > > Can be done via MITM attack. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
