Hi all, In my application, the session id seems to be getting re-used across different sessions.
To explain: Login 1: ----------- print str(session) on user/logout shows the following: <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d- e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- b92d2da1b023', '_formkey[job_create]': 'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth': <Storage {'expiration': 600, 'user': <Storage {'username': 123456789, 'registration_key': '', 'incorrect_login_count': 0, 'email': 'aditya.sa...@gmail.com', 'reset_password_key': '', 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), 'password': '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', 'account_locked': False, 'id': 1}>, 'last_visit': datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False} >}> Login 2: ------------ <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634- b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f- be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600, 'user': <Storage {'username': 123456789, 'password': '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', 'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '', 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), 'registration_key': '', 'account_locked': False, 'email': 'aditya.sa...@gmail.com'}>, 'last_visit': datetime.datetime(2010, 4, 19, 11, 20, 1, 154791), 'remember': False}>}> Now I have set expiration auth.settings.expire=600 . Now someone reviewing security of my application said that having the same session id can allow someone to "hijack" the session. How can I cause a completely different session id for a user after every new login? Sorry my knowledge of this is quite limited. Would appreciate any insights here. Thanks, Aditya -- Subscription settings: http://groups.google.com/group/web2py/subscribe?hl=en