Well, I'm afraid all the solutions you gave, though seem reasonable, won't solve the scenerio I talked about. The problem is with the face the session won't change on login (so I can just get into the website, before someone else does, copy the session data, and then wait for him to log in).
On Nov 13, 1:38 am, mdipierro <[email protected]> wrote: > There are two things you can do. > > 1) session.secure() # will force session over https > 2) call auth.logout() to delete all auth information from the session > (this will not change the session cookie) > 3) > auth.settings.logout_onlogout=lambda user: > os.unlink(response.session_filename) > > This will delete the session and will force a new session cookie next > request. > > On Nov 12, 4:42 pm, guruyaya <[email protected]> wrote: > > > I've inspected web2py cookies, and I think I'm on to a problem. > > Say, I'm going into a public internet cafe. I'm getting into a web2py > > websute, that use the default auth. I'm looking at the cookie data, > > saving it > > then, I'm sitting in the next chair, and some other guy goes to the > > same website, and logs in. At this point - the cookie didn't change. > > And as we're both behind firewall, we also have the same IP,so I can > > easly implant the logged in session, into my browser, and do horrible, > > and unspeakable things on his behalf. > > Is there a way to force new session, once a use is logged in? This > > way, I can be sure no cookie is stolen. > > > Yair > >
