session.secure() does solve the problem since it forces the session
over https and therefore it cannot be stolen. Even if the session were
to be reset at login, without a https connection it can still be
stolen after login.
One solution is
session.client=session.client or request.client
if not se
Well, I'm afraid all the solutions you gave, though seem reasonable,
won't solve the scenerio I talked about. The problem is with the face
the session won't change on login (so I can just get into the website,
before someone else does, copy the session data, and then wait for him
to log in).
On N
There are two things you can do.
1) session.secure() # will force session over https
2) call auth.logout() to delete all auth information from the session
(this will not change the session cookie)
3)
auth.settings.logout_onlogout=lambda user:
os.unlink(response.session_filename)
This will delete
3 matches
Mail list logo
