Consider this scenario... You use http to login and somebody intercept the communication, steals the cookie and logins using your credentials.
This is no more possible. Now web2py check that the IP of the client is the same as the IP of the client that started the session. If the cookie is stolen and/or used from a different IP, web2py refuses to open the corresponding session. I do not see any counter-indication. Comments? Massimo
