On Tuesday, March 22, 2016 at 7:44:06 AM UTC-4, Alex wrote: > > Does anyone have more information about sessions stored in cookies? is it > really completely safe or is it theoretically possible for an attacker to > pretend being logged in as some random user? > > It is known (or easy to find out) that an app was made with web2py and the > session code is open source. The structure of the session object is at > least partially known. Therefor the only secret part is cookie_key I use > for session.connect. I guess that's enough to make it impossible to build > your own session (and store it in the cookie), right? >
Right. The session data stored in the cookies is both encrypted (so it cannot be read) and signed (so it cannot be changed without detection). Just be sure to keep cookie_key a secret (for example, do not expose response.toolbar() in a publicly available page -- though in the next release, that will no longer include the cookie_key). Of course, when dealing with security issues, it's generally difficult to declare something "completely safe," but I would say at least there are no known vulnerabilities here. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
