I don't really understand how it works internally, so wondering if it's safe to rely on a value stored as a session storage variable. More specifically, I am authorizing one user to do certain actions on behalf of another user, and the currently assumed user is stored in session.user (even if auth.user_id is somebody else). If somebody can hack session and change the value of session.user - it would be potentially dangerous situation, so if it's not safe - I would have to figure out something else.It's just easy and tempting to use some variables in a session. Any ideas on how safe it is?
p.s. I don't care if somebody can read it - my only concern is that they shouldn't be able to overwrite it, because this would give them authority to perform certain actions. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/a18247eb-05f5-4052-bb25-4d5c39160ce1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
