session.secure() does solve the problem since it forces the session over https and therefore it cannot be stolen. Even if the session were to be reset at login, without a https connection it can still be stolen after login.
One solution is session.client=session.client or request.client if not session.client==request.client: raise HTTP(500,"not authorized") On Nov 14, 11:37 am, guruyaya <[email protected]> wrote: > Well, I'm afraid all the solutions you gave, though seem reasonable, > won't solve the scenerio I talked about. The problem is with the face > the session won't change on login (so I can just get into the website, > before someone else does, copy the session data, and then wait for him > to log in). > > On Nov 13, 1:38 am, mdipierro <[email protected]> wrote: > > > There are two things you can do. > > > 1) session.secure() # will force session over https > > 2) call auth.logout() to delete all auth information from the session > > (this will not change the session cookie) > > 3) > > auth.settings.logout_onlogout=lambda user: > > os.unlink(response.session_filename) > > > This will delete the session and will force a new session cookie next > > request. > > > On Nov 12, 4:42 pm, guruyaya <[email protected]> wrote: > > > > I've inspected web2py cookies, and I think I'm on to a problem. > > > Say, I'm going into a public internet cafe. I'm getting into a web2py > > > websute, that use the default auth. I'm looking at the cookie data, > > > saving it > > > then, I'm sitting in the next chair, and some other guy goes to the > > > same website, and logs in. At this point - the cookie didn't change. > > > And as we're both behind firewall, we also have the same IP,so I can > > > easly implant the logged in session, into my browser, and do horrible, > > > and unspeakable things on his behalf. > > > Is there a way to force new session, once a use is logged in? This > > > way, I can be sure no cookie is stolen. > > > > Yair > >
