I suppose I could implement something like this (encode the IP address
into the token) and provide a knob to turn it on and off on the id
manager. I'm not going to do this for the first iteration, I need to
get it working first. :-)
Steve Spicklemire wrote:
>
> I forget now where I saw this.... but one of the session managers I looked
> at once checked the IP address of the visitor to make sure it was the
> same for the entire session, or longer. This at least makes it much harder
> to hijack a session, even though it means that long-lived cookies might
> be fooled as a user gets a new dynamic IP address...
>
> -steve
>
> >>>>> "Chris" == Chris McDonough <[EMAIL PROTECTED]> writes:
>
> Chris> Session tokens, AFAICT, cannot be secured. They can only
> Chris> be obfuscated, which mitigates the risk that they will be
> Chris> guessed. However, there's no way to completely secure
> Chris> them, no matter how many MD5 hashing algorithms you run on
> Chris> them. If a session token is stolen, that's the key that
> Chris> the "attacker" needs to visit the website "as you". I've
> Chris> addressed this in the implementation by giving the session
> Chris> token a random element, and this mitigates a guessing
> Chris> attack, but not a theft attack.
--
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
