> Are you saying that once the user logs in, any existing session they had > should be erased and a new one started? I don't think that's how it works > now, and I'm not sure that would always be the thing to do, but maybe it > should be an option. I was just suggesting regenerating the session id, but > keeping the session itself. >
I think this just about semantics. Eegenerating the session id, as you call it, is the right thing to do and I just added that should be default when making a transition to a secure channel. > > I hear you. Do you have a specific proposal for how auth and post-login > routing should work? If a request comes in and the session includes an auth > user, should web2py reject/redirect the request if it's not over SSL (at > least that would be the default behavior, perhaps with the option to > configure auth to allow non-secure sessions)? > yes, something like if auth.sslmandatory and request.env.protocol == 'https': normal_auth_code and user funtions with a regenerated session > Anthony
