durusmail: quixote-users: Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
To 3 or not to 3
2006-06-23
R J Ladyman
Re: To 3 or not to 3
2006-06-25
Neil Schemenauer
Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Charles
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Neil Schemenauer
2006-06-29
Charles
2006-06-29
Mike Orr
2006-06-29
A.M. Kuchling
2006-06-29
David Binger
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
Neil Schemenauer
2006-06-29
Charles  wrote:
> Maybe the better option would be to move the check to the rest of the
> session handling code, where it could be run when enabled for that session.
> Any ideas on how to do this?

I think you could also do it inside the application code.  For
example, assuming you are using Quixote 2, add a _q_traverse method
does whatever checking is desired.  Return an error page if access
is not allowed.

> Has anyone else come up with a good way to keep sessions secure short of
> expiring them after a certain time?

Could you explain what kind of attacks you are concerned about?

  Neil
reply