On Friday, October 17, 2014 1:15:39 PM UTC-7, Anthony wrote:
> I was simply pointing out that sessions do not technically expire on the > server side. The browser expires sessions by ceasing to return the session > cookie. If an attacker steals the cookie and keeps sending it, then the > server does nothing to expire the session. However, Auth logins can expire, > but that is a different matter. > > What's the model for an attacker stealing a cookie? Does it require access to the user's machine, or would a man-in-the-middle attack (with a wild proxy, for instance) work? /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
