On Aug 18, 2008, at 5:40 PM, Phil Mayers wrote:
potentially possible to forge credentials. I don't know for sure
whether guard checks the IP address of a request against the
original one that created the session in the first place, but even
that could technically be forged.
Caches.
My first guess is that you're referring to caching proxies. I don't
really see how this is an issue, since there's a host of problems
you'll run into if a misbehaving caching proxy is aggressively
caching dynamic content.
Or perhaps the issue you're raising is that there exists a security
issue in that if you are behind a proxy, anyone else behind that
proxy could hijack your session even if the web app session code is
checking the client's IP.
But, you know, I'm not so skilled at the whole brevity thing ;-)...
-phil
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
