[Zope-Coders] Re: Session IP adress protection
Tres Seaver
tseaver at zope.com
Mon Oct 4 09:43:42 EDT 2004
Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.
Not a blocker for an alpha, which was what this thread is about. If
somebody implements it before the beta feature freeze, and the
implementation doesn't cause problems, that would be fine (but note the
issues involved in large-scale sites, where Zope runs behind a cache, a
load-balancer, or another proxy).
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Coders
mailing list