I suppose I could implement something like this (encode the IP address
into the token) and provide a knob to turn it on and off on the id
manager.  I'm not going to do this for the first iteration, I need to
get it working first.  :-)

Steve Spicklemire wrote:
> I forget now where I saw this.... but one of the session managers I looked
> at once checked the IP address of the visitor to make sure it was the
> same for the entire session, or longer. This at least makes it much harder
> to hijack a session, even though it means that long-lived cookies might
> be fooled as a user gets a new dynamic IP address...
> -steve
> >>>>> "Chris" == Chris McDonough <[EMAIL PROTECTED]> writes:
>     Chris> Session tokens, AFAICT, cannot be secured.  They can only
>     Chris> be obfuscated, which mitigates the risk that they will be
>     Chris> guessed.  However, there's no way to completely secure
>     Chris> them, no matter how many MD5 hashing algorithms you run on
>     Chris> them.  If a session token is stolen, that's the key that
>     Chris> the "attacker" needs to visit the website "as you".  I've
>     Chris> addressed this in the implementation by giving the session
>     Chris> token a random element, and this mitigates a guessing
>     Chris> attack, but not a theft attack.

Chris McDonough
Digital Creations, Publishers of Zope

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to