durusmail: quixote-users: Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
To 3 or not to 3
2006-06-23
Re: To 3 or not to 3
Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
2006-06-29
2006-06-29
2006-06-29
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
A.M. Kuchling
2006-06-29
On Thu, Jun 29, 2006 at 11:19:12AM -0700, Mike Orr wrote:
> TurboGears signs the cookie using a hash.  I don't understand how this
> works, and the developer said he only did it because people insisted,
> not because he thought it was more secure.  But I can dig up the notes
> and implementation if there's sufficient interest.

Presumably this is to make the contents more random.  If you numbered
sessions as 1,2,3,4,..., I might set my browser to try different
numbers as my session ID and see what I could find.  (Especially for a
high-value site like a bank!)  If the sequential integer is hashed
with some secret, it becomes much harder to guess another user's
session ID.

--amk

reply