Does anyone have more information about sessions stored in cookies? is it really completely safe or is it theoretically possible for an attacker to pretend being logged in as some random user?
It is known (or easy to find out) that an app was made with web2py and the session code is open source. The structure of the session object is at least partially known. Therefor the only secret part is cookie_key I use for session.connect. I guess that's enough to make it impossible to build your own session (and store it in the cookie), right? -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
