HTTP state management without cookies?
Simon Willison
cs1spw at bath.ac.uk
Wed Feb 20 04:17:43 EST 2002
Jonathan Gardner wrote:
> There are security problems. I tried to force the guy to be coming from one
> unique IP address, but I found that too many places have firewalls or
> something that change the IP address of the user each time they access the
> page, so I had to abandon that.
I hadn't realised some places had dynamically changing IP addresses. My
security method was to save the User Agent, IP address and the time the
session was created (so I can expire it after X minutes). I suppose you
could deal with IP addresses by ensuring that the first part of the IP
address remains the same i.e
User logs on initially as 172.21.16.189
Session then allows access from 172.21.16.* or 172.21.*.*
It's pretty important to provide some kind of checking mechanism like
that to avoid people copying/pasting the URL of the page they are on
into an e-mail / instant message and inadvertantly giving their session
to someone else.
Cheers,
Simon
More information about the Python-list
mailing list