HTTP state management without cookies?
Steve Holden
sholden at holdenweb.com
Wed Feb 20 08:32:52 EST 2002
"Simon Willison" <cs1spw at bath.ac.uk> wrote in message
news:3C7368A0.5050702 at bath.ac.uk...
> Jonathan Gardner wrote:
>
> > There are security problems. I tried to force the guy to be coming from
one
> > unique IP address, but I found that too many places have firewalls or
> > something that change the IP address of the user each time they access
the
> > page, so I had to abandon that.
>
> I hadn't realised some places had dynamically changing IP addresses. My
> security method was to save the User Agent, IP address and the time the
> session was created (so I can expire it after X minutes). I suppose you
> could deal with IP addresses by ensuring that the first part of the IP
> address remains the same i.e
>
> User logs on initially as 172.21.16.189
> Session then allows access from 172.21.16.* or 172.21.*.*
>
That would be pretty gash: all members of a subnet share the same session?
Even in your original scheme you arre relying on not getting two
simultaneous sessions fomr the same IP address. This is easily possible --
for example, when different X terminal users whose browsers run on the same
machine access your site.
Run, do not walk, to fix your code!
> It's pretty important to provide some kind of checking mechanism like
> that to avoid people copying/pasting the URL of the page they are on
> into an e-mail / instant message and inadvertantly giving their session
> to someone else.
>
Indeed, but it needs to be a little more rigorous. That's why a recent
thread concluded you EITHER pass session id through all URLs OR use a cookie
to identify the session.
regards
Steve
--
Consulting, training, speaking: http://www.holdenweb.com/
Author, Python Web Programming: http://pydish.holdenweb.com/pwp/
"This is Python. We don't care much about theory, except where it
intersects with useful practice." Aahz Maruch on c.l.py
--
Consulting, training, speaking: http://www.holdenweb.com/
Author, Python Web Programming: http://pydish.holdenweb.com/pwp/
"This is Python. We don't care much about theory, except where it
intersects with useful practice." Aahz Maruch on c.l.py
More information about the Python-list
mailing list