On 8/10/06, uselpa <[EMAIL PROTECTED]> wrote: > > > spacedman wrote: > > /foo/bar/info?session_id=0873556323 > > > > BUT if anyone gets that URL they get that person's session. Which is a > > BAD thing. So don't do that. > > Unless you check that the IP from which the request is coming is the > same IP from which the initial request came.
Unless they're behind some type of NATing of course... It is best is to ensure that any non-cookie based sessions are temporary and timeout promptly. Realise as well that anyone who can get your URL either has access to your machine or is sniffing your network traffic which would also mean that they could get your cookie information. If you're tracking sessions for personalisation reasons then both methods are fine. As soon as sensitive information is being tied to a session (card details etc) then a new session id should be generated and only passed over encrypted channels. This session should be destroyed as soon as possible and not used for accessing unencrypted pages. IP checking and other such methods can work (intranets would probably be the best environment) but can break and lead to annoyed users. I personally would recommend concentrating on a solid application design which minimised the exposure of sensitive information. Just my £0.02 (which I suppose is almost $0.04 these days ;-) Felix --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
