HTTP state management without cookies?

Simon Willison cs1spw at bath.ac.uk
Wed Feb 20 10:17:43 CET 2002


Jonathan Gardner wrote:

> There are security problems. I tried to force the guy to be coming from one 
> unique IP address, but I found that too many places have firewalls or 
> something that change the IP address of the user each time they access the 
> page, so I had to abandon that.

I hadn't realised some places had dynamically changing IP addresses. My 
security method was to save the User Agent, IP address and the time the 
session was created (so I can expire it after X minutes). I suppose you 
could deal with IP addresses by ensuring that the first part of the IP 
address remains the same i.e

User logs on initially as 172.21.16.189
Session then allows access from 172.21.16.* or 172.21.*.*

It's pretty important to provide some kind of checking mechanism like 
that to avoid people copying/pasting the URL of the page they are on 
into an e-mail / instant message and inadvertantly giving their session 
to someone else.

Cheers,

Simon




More information about the Python-list mailing list