[web2py] Session id gets re-used

Sun, 18 Apr 2010 22:57:26 -0700 

Hi all,

In my application, the session id seems to be getting re-used across
different sessions.

To explain:

Login 1:
-----------
print str(session) on user/logout shows the following:

<Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d-
e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
b92d2da1b023', '_formkey[job_create]':
'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth':
<Storage {'expiration': 600, 'user': <Storage {'username': 123456789,
'registration_key': '', 'incorrect_login_count': 0, 'email':
'aditya.sa...@gmail.com', 'reset_password_key': '',
'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
'password':
'9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
'account_locked': False, 'id': 1}>, 'last_visit':
datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False}
>}>

Login 2:
------------
<Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634-
b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f-
be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600,
'user': <Storage {'username': 123456789, 'password':
'9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '',
'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
'registration_key': '', 'account_locked': False, 'email':
'aditya.sa...@gmail.com'}>, 'last_visit': datetime.datetime(2010, 4,
19, 11, 20, 1, 154791), 'remember': False}>}>

Now I have set expiration auth.settings.expire=600 . Now someone
reviewing security of my application said that having the same session
id can allow someone to "hijack" the session. How can I cause a
completely different session id for a user after every new login?

Sorry my knowledge of this is quite limited. Would appreciate any
insights here.

Thanks,
Aditya


-- 
Subscription settings: http://groups.google.com/group/web2py/subscribe?hl=en

Reply via email to