> I don't think there is any good reason to have the IP address in the
> cookie. Also, making the cookie purely a random number feels right to
> me although I can't explain why. The remote IP address is available as
> the 'remote_address' attribute on Session objects.
It need not be in the cookie itself...especially that it's *now* available
in the session object.
> You can still do this using the remote_address attribute of the Session
> object. Good idea, BTW. It could be defeated but it definitely raises
> the barrier. Do you mind submitting a patch?
Here it is, pretty simple stuff.
diff -ur Quixote-0.4.7-vanilla/config.py Quixote-0.4.7/config.py
--- Quixote-0.4.7-vanilla/config.py Mon Apr 29 11:37:34 2002
+++ Quixote-0.4.7/config.py Mon Apr 29 11:45:44 2002
@@ -106,6 +106,10 @@
COOKIE_NAME = "QX_session"
COOKIE_PATH = "/"
+# If true, the originating IP address of a request will be checked against
+# the session it claims to be using; this is a defense against playback
+# attacks. It will frustrate mobile laptop users, though.
+CHECK_SESSION_ADDR = 0
# Mail-related variables
# ======================
@@ -185,6 +189,7 @@
'cookie_domain',
'cookie_name',
'cookie_path',
+ 'check_session_addr',
'mail_from',
'mail_server',
'mail_debug_addr',
diff -ur Quixote-0.4.7-vanilla/session.py Quixote-0.4.7/session.py
--- Quixote-0.4.7-vanilla/session.py Mon Apr 29 11:37:34 2002
+++ Quixote-0.4.7/session.py Mon Apr 29 11:48:32 2002
@@ -156,7 +156,9 @@
id = None
if id is not None:
session = self.sessions.get(id)
- if session is None:
+ if session is None or (config.check_session_addr and \
+ session.remote_address !=
+ request.get_environ("REMOTE_ADDR")):
# Note that it's important to revoke the session cookie
# so the user doesn't keep getting "Expired session ID"
# error pages. However, it has to be done in the
jon
Jonathan Corbet
Executive editor, LWN.net
corbet@lwn.net