On Wed, Oct 15, 2014 at 1:06 AM, Anthony <abasta...@gmail.com> wrote:
> On Tuesday, October 14, 2014 2:18:05 PM UTC-4, Mandar Vaze wrote: >> >> (This is related to security issue - I've explained the security issue in >> detail to Massimo and anthony separately) >> >> I want the session to be "invalid" as soon as after user logs out (as >> well as after certain period of inactivity) >> This is "supposed to be" default behaviour - but somehow doesn't work. >> > > In the current version of web2py, the default behavior is that upon > logout, the session is cleared and renewed (i.e., a new session ID is > issued). However, it does not delete the old session file. > When you say it "somehow doesn't work," do you just mean the old session > file remains, or is something else not working? > Yes. Session file does not get deleted. The side effect of session file remaining on the disk is that if the "hijacked" session ID is used by the attacker - then "somehow" contents of the session file on the disk are reused (even if session contents from memory (Storage object) are cleaned) Thus allowing the attacker access to logged in page without actually having to login. So now I'm explicitly deleting the session file. BTW - which method gets invoked when session has "expired" ? Is there a "hook" where I can add the code to delete the session file - in addition to post_logout ? This may be better than too frequent cron job with session2trash script. -Mandar > > >> What I want is something like sessions2trash.py script - except that file >> should deleted right away - even if the session has *not* expired. >> >> Currently I'm using something like following. *Please suggest correct >> way to handle this* (I know this works only for file based sessions, but >> that is OK) >> >> def post_logout(user): >> try: >> import os >> os.unlink(response.session_filename) # Clear the session from >> disk >> except OSError: >> pass >> session.renew(clear_session=True) # Clear the memory/Storage object. >> >> > > You shouldn't need that last line, as the logout function already does > exactly that by default. > > Anthony > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/j-GwnDc0G6g/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
