On Thu, Oct 16, 2014 at 2:29 AM, Anthony wrote:
Yes. Session file does not get deleted. >> The side effect of session file remaining on the disk is that if the >> "hijacked" session ID is used by the attacker - then "somehow" contents of >> the session file on the disk are reused (even if session contents from >> memory (Storage object) are cleaned) Thus allowing the attacker access to >> logged in page without actually having to login. >> > > It may be worth having web2py delete the file (or database record in the > case of database based sessions) automatically upon session.renew(). Maybe > submit a Google Code issue about this. > Done. https://code.google.com/p/web2py/issues/detail?id=1999 > > browser will no longer transmit session cookies for old sessions). > But this is "normal" case - attacker can use/transmit "session cookies for old sessions" (which is where the whole discussion started) In any case, there is no process that can monitor sessions/logins for > expiration automatically (i.e., no place for a "hook"). The only "events" > that the framework can respond to are requests, but an inactive client is > not making any requests, so there would be nothing to trigger an expiration > check. > I understand. I am not looking for "process". I want to know *which place in web2py code* "determines" that for a normal request - session has expired and user should be redirected to "login" page - before the requested page is served ? (It attaches appropriate _next to the login form - so that after successful authentication - user is taken to the page s/he requested) This is for my *understanding of web2py innards* better (may or may not help my current problem, but may give me some ideas/clues) I want to put breakpoint, and trace this code - to understand this better. > > To prevent session hijacking, > keep all logged in activity (including the login itself) over HTTPS. > Done. If you're still concerned, delete the session file upon logout (as you are > now doing) > Done. and run sessions2trash periodically. > Will adding following (from sessions2trash.py docstring) be better if called *immediately after successful login* ? This IMO ensures that session files are deleted after login attempt - especially when login was "forced" by the web2py framework due to expired session # Delete session in a module (move to the modules folder) from sessions2trash import single_loop def delete_sessions(): single_loop() -Mandar > Trying to delete the session file at the precise instant of login > expiration will add little to overall security. > > Anthony > -- > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
