[Zope-Coders] Session IP adress protection

Andreas Jung lists at andreas-jung.com
Mon Oct 4 09:20:39 EDT 2004

--On Montag, 4. Oktober 2004 15:12 Uhr +0200 Lennart Regebro 
<regebro at nuxeo.com> wrote:

> Many moons ago, it was discussed to protect sessions with the IP address.
> That  would have the effect of not allowing a user to switch IP-adress
> mid-session (not a big problem) and thereby making session-theft via
> cookie-theft much harder.
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.

Is this protection optional or mandatory? If mandatory, then -1 because
there are enough organizations running load-balanced proxies where
the source IP can change  from time to time.


More information about the Zope-Coders mailing list