durusmail: quixote-users: Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
To 3 or not to 3
2006-06-23
R J Ladyman
Re: To 3 or not to 3
2006-06-25
Neil Schemenauer
Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Charles
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Neil Schemenauer
2006-06-29
Charles
2006-06-29
Mike Orr
2006-06-29
A.M. Kuchling
2006-06-29
David Binger
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
Mike Orr
2006-06-29
On 6/29/06, Charles  wrote:
> Primarily session id cookie hijacking...

TurboGears signs the cookie using a hash.  I don't understand how this
works, and the developer said he only did it because people insisted,
not because he thought it was more secure.  But I can dig up the notes
and implementation if there's sufficient interest.

--
Mike Orr
reply