still there are no counter-indication.... a session sticks to one single ip. users of LAN (me and my brother) "hidden" by NAT, users of large WANs like Fastweb in Italy (and quite everyone in China, I believe) show themself to the webserver with the same IP address in the same session. As long as web2py don't bother if two different users have the same IP, checking that the session cookie "comes" from the same address is safer than the actual implementation and doesn't break anything. I don't know if China's ISP and other privacy softwares, like Tor, can change the IP address over a session.... in that case this implementation will break things. Still, I think that if the default "check" of "remember me 30 days" saves the cookie for 30 days, probably I'll get to insert username and password at least every day.... here in Italy if you turn down the connection (or the router), you get a different IP address. For me it's not a problem, but probably some people think differently.
Niphlod On 25 Nov, 17:55, Kuba Kucharski <[email protected]> wrote: > @massimo > > this sounds good, although stealing creditentials/intercepting > communication is most probable in the networks hidden over NAT - hence > in this case it will not work. > > -- > Kuba
