Let's be clear. By default no data is stored in the session cookie. the session cookie is only a uuid. The data is only stored server side in a file. Unless you explicitly change this to store sessions data in a cookie. Is that what you are doing?
On Tuesday, 22 March 2016 06:44:06 UTC-5, Alex wrote: > > Does anyone have more information about sessions stored in cookies? is it > really completely safe or is it theoretically possible for an attacker to > pretend being logged in as some random user? > > It is known (or easy to find out) that an app was made with web2py and the > session code is open source. The structure of the session object is at > least partially known. Therefor the only secret part is cookie_key I use > for session.connect. I guess that's enough to make it impossible to build > your own session (and store it in the cookie), right? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
