Session ID & Security
Ng Pheng Siong
ngps at vista.netmemetic.com
Tue Jul 16 23:51:27 EDT 2002
According to Jan Felix Reuter <thefogger at web.de>:
> Now I'm concerned about security, because with this sheme an attacker could
> easily get access to a user's session by just guessing its ID. After some
> research I found out about Message Authentication Codes and the hmac python
> module. How does one use it? Do I apply the algorithm to every message (cgi
> output?) and place the hash in another cookie or appended to the session ID
> string? So, if the client sends back a hash that differs from the last hash
> the server has send, the session is discarded, is that how you do it?
Take a look at AuthCookie, bundled with M2Crypto.
http://www.post1.com/home/ngps/m2
Cheers.
--
Ng Pheng Siong <ngps at netmemetic.com> * http://www.netmemetic.com
More information about the Python-list
mailing list