[Zope-Coders] Session IP adress protection
Tino Wildenhain
tino at wildenhain.de
Mon Oct 4 10:05:46 EDT 2004
Hi,
On Mon, 2004-10-04 at 15:12, Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.
>
> Thoughts?
It would it even make extremly hard to use it as intended
in some situations :-)
Many big ISPs use a proxy farm so you are presented with
a lot of IP changes in the same session.
Session based via Cookie/Path should be good. Dont
rely on IP constantness.
Regards
Tino
More information about the Zope-Coders
mailing list