> In the current version of web2py, the default behavior is that upon >> logout, the session is cleared and renewed (i.e., a new session ID is >> issued). However, it does not delete the old session file. >> > When you say it "somehow doesn't work," do you just mean the old session >> file remains, or is something else not working? >> > > Yes. Session file does not get deleted. > The side effect of session file remaining on the disk is that if the > "hijacked" session ID is used by the attacker - then "somehow" contents of > the session file on the disk are reused (even if session contents from > memory (Storage object) are cleaned) Thus allowing the attacker access to > logged in page without actually having to login. >
It may be worth having web2py delete the file (or database record in the case of database based sessions) automatically upon session.renew(). Maybe submit a Google Code issue about this. BTW - which method gets invoked when session has "expired" ? > Is there a "hook" where I can add the code to delete the session file - in > addition to post_logout ? > First, although login can expire, sessions themselves do not expire (they simply terminate when the browser session ends by virtue of the fact that the browser will no longer transmit session cookies for old sessions). In any case, there is no process that can monitor sessions/logins for expiration automatically (i.e., no place for a "hook"). The only "events" that the framework can respond to are requests, but an inactive client is not making any requests, so there would be nothing to trigger an expiration check. If you want to monitor logins for expiration and proactively delete session files or database records, you would have to run an external process (i.e., something like sessions2trash), perhaps using the scheduler or some other mechanism. To prevent session hijacking, keep all logged in activity (including the login itself) over HTTPS. If you're still concerned, delete the session file upon logout (as you are now doing) and run sessions2trash periodically. Trying to delete the session file at the precise instant of login expiration will add little to overall security. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
