I think you missed on this paticular scenerio. If I can sniff the traffic, I must have access to the router that holds the data. That means, I'm on a place in the routing table, that gets this packet, and that means I can make my IP be the same as the user in the far end of the communication. So, if I'm able to sniff, I'll probably be able to forge the IP too, and it wouldn't be a great help. Yet I can think of several things that can change a user IP, while he is still legitimate. Like a dail up connection that went dead, and he had to connect again. I'm not saying this feature doesn't add to security, but it really is not a game changer. It'll make the attackers work harder, but a hacker sufficiantly smart to get to the router, will probably find a way to change his IP.
On Nov 25, 6:05 pm, mdipierro <[email protected]> wrote: > Consider this scenario... > > You use http to login and somebody intercept the communication, steals > the cookie and logins using your credentials. > > This is no more possible. Now web2py check that the IP of the client > is the same as the IP of the client that started the session. If the > cookie is stolen and/or used from a different IP, web2py refuses to > open the corresponding session. > > I do not see any counter-indication. Comments? > > Massimo
