I've inspected web2py cookies, and I think I'm on to a problem. Say, I'm going into a public internet cafe. I'm getting into a web2py websute, that use the default auth. I'm looking at the cookie data, saving it then, I'm sitting in the next chair, and some other guy goes to the same website, and logs in. At this point - the cookie didn't change. And as we're both behind firewall, we also have the same IP,so I can easly implant the logged in session, into my browser, and do horrible, and unspeakable things on his behalf. Is there a way to force new session, once a use is logged in? This way, I can be sure no cookie is stolen.
Yair
