[Zope-Coders] Session IP adress protection
Andreas Jung
lists at andreas-jung.com
Mon Oct 4 09:20:39 EDT 2004
--On Montag, 4. Oktober 2004 15:12 Uhr +0200 Lennart Regebro
<regebro at nuxeo.com> wrote:
> Many moons ago, it was discussed to protect sessions with the IP address.
> That would have the effect of not allowing a user to switch IP-adress
> mid-session (not a big problem) and thereby making session-theft via
> cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
Is this protection optional or mandatory? If mandatory, then -1 because
there are enough organizations running load-balanced proxies where
the source IP can change from time to time.
-aj
More information about the Zope-Coders
mailing list