durusmail: quixote-users: session change
session change
2002-04-29
Jonathan Corbet
2002-04-29
Neil Schemenauer
2002-04-29
Jonathan Corbet
2002-04-29
Neil Schemenauer
2002-05-06
Greg Ward
2002-05-06
Jonathan Corbet
2002-05-06
Greg Ward
session change
Neil Schemenauer
2002-04-29
On Mon, Apr 29, 2002 at 10:58:48AM -0600, Jonathan Corbet wrote:
> I'm just now getting around to upgrading past 0.4.4.  One of the changes
> there has bit me slightly:
>
>       Changed format of session cookies: they're now just random 64-bit
>       numbers in hex.
>
> Was there a reason for that change?

I don't think there is any good reason to have the IP address in the
cookie.  Also, making the cookie purely a random number feels right to
me although I can't explain why.  The remote IP address is available as
the 'remote_address' attribute on Session objects.

> I had put together a tweaked session manager that compared the IP
> address in the session cookie against the actual source of the request
> as a (paranoid, I'm sure) way of defending against sniff-and-playback
> attacks.

You can still do this using the remote_address attribute of the Session
object.  Good idea, BTW.  It could be defeated but it definitely raises
the barrier.  Do you mind submitting a patch?  We should make it an
optional feature that could be enabled in the config.

  Neil
reply