HTTP state management without cookies?
Steve Holden
sholden at holdenweb.com
Wed Feb 20 08:32:52 EST 2002
More information about the Python-list mailing list
Wed Feb 20 08:32:52 EST 2002
- Previous message (by thread): HTTP state management without cookies?
- Next message (by thread): HTTP state management without cookies?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Simon Willison" <cs1spw at bath.ac.uk> wrote in message news:3C7368A0.5050702 at bath.ac.uk... > Jonathan Gardner wrote: > > > There are security problems. I tried to force the guy to be coming from one > > unique IP address, but I found that too many places have firewalls or > > something that change the IP address of the user each time they access the > > page, so I had to abandon that. > > I hadn't realised some places had dynamically changing IP addresses. My > security method was to save the User Agent, IP address and the time the > session was created (so I can expire it after X minutes). I suppose you > could deal with IP addresses by ensuring that the first part of the IP > address remains the same i.e > > User logs on initially as 172.21.16.189 > Session then allows access from 172.21.16.* or 172.21.*.* > That would be pretty gash: all members of a subnet share the same session? Even in your original scheme you arre relying on not getting two simultaneous sessions fomr the same IP address. This is easily possible -- for example, when different X terminal users whose browsers run on the same machine access your site. Run, do not walk, to fix your code! > It's pretty important to provide some kind of checking mechanism like > that to avoid people copying/pasting the URL of the page they are on > into an e-mail / instant message and inadvertantly giving their session > to someone else. > Indeed, but it needs to be a little more rigorous. That's why a recent thread concluded you EITHER pass session id through all URLs OR use a cookie to identify the session. regards Steve -- Consulting, training, speaking: http://www.holdenweb.com/ Author, Python Web Programming: http://pydish.holdenweb.com/pwp/ "This is Python. We don't care much about theory, except where it intersects with useful practice." Aahz Maruch on c.l.py -- Consulting, training, speaking: http://www.holdenweb.com/ Author, Python Web Programming: http://pydish.holdenweb.com/pwp/ "This is Python. We don't care much about theory, except where it intersects with useful practice." Aahz Maruch on c.l.py
- Previous message (by thread): HTTP state management without cookies?
- Next message (by thread): HTTP state management without cookies?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list