There are two things you can do. 1) session.secure() # will force session over https 2) call auth.logout() to delete all auth information from the session (this will not change the session cookie) 3) auth.settings.logout_onlogout=lambda user: os.unlink(response.session_filename)
This will delete the session and will force a new session cookie next request. On Nov 12, 4:42 pm, guruyaya <[email protected]> wrote: > I've inspected web2py cookies, and I think I'm on to a problem. > Say, I'm going into a public internet cafe. I'm getting into a web2py > websute, that use the default auth. I'm looking at the cookie data, > saving it > then, I'm sitting in the next chair, and some other guy goes to the > same website, and logs in. At this point - the cookie didn't change. > And as we're both behind firewall, we also have the same IP,so I can > easly implant the logged in session, into my browser, and do horrible, > and unspeakable things on his behalf. > Is there a way to force new session, once a use is logged in? This > way, I can be sure no cookie is stolen. > > Yair
