This is a feature. The web2py session (mapped to a file or db record) is one thing, the auth session (logical) is another. The web2py session is linked to your browser session. The auth session affects whether you are logged in or not. You may want the server to remember you or not whether you are logged in or not.
On Apr 19, 12:57 am, Adi <[email protected]> wrote: > Hi all, > > In my application, the session id seems to be getting re-used across > different sessions. > > To explain: > > Login 1: > ----------- > print str(session) on user/logout shows the following: > > <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- > bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d- > e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- > b92d2da1b023', '_formkey[job_create]': > 'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth': > <Storage {'expiration': 600, 'user': <Storage {'username': 123456789, > 'registration_key': '', 'incorrect_login_count': 0, 'email': > '[email protected]', 'reset_password_key': '', > 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), > 'password': > '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', > 'account_locked': False, 'id': 1}>, 'last_visit': > datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False} > > >}> > > Login 2: > ------------ > <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- > bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634- > b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- > b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f- > be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600, > 'user': <Storage {'username': 123456789, 'password': > '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', > 'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '', > 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), > 'registration_key': '', 'account_locked': False, 'email': > '[email protected]'}>, 'last_visit': datetime.datetime(2010, 4, > 19, 11, 20, 1, 154791), 'remember': False}>}> > > Now I have set expiration auth.settings.expire=600 . Now someone > reviewing security of my application said that having the same session > id can allow someone to "hijack" the session. How can I cause a > completely different session id for a user after every new login? > > Sorry my knowledge of this is quite limited. Would appreciate any > insights here. > > Thanks, > Aditya > > -- > Subscription settings:http://groups.google.com/group/web2py/subscribe?hl=en
