[web2py] Re: Session id gets re-used

Sun, 18 Apr 2010 23:22:03 -0700 

Update:

This seems to work in user():

 if request.args(0) == 'login':
      session.clear()

Am I doing something wrong or unnecessary?

On Apr 19, 10:57 am, Adi <aditya.sa...@gmail.com> wrote:
> Hi all,
>
> In my application, the session id seems to be getting re-used across
> different sessions.
>
> To explain:
>
> Login 1:
> -----------
> print str(session) on user/logout shows the following:
>
> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
> bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d-
> e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
> b92d2da1b023', '_formkey[job_create]':
> 'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth':
> <Storage {'expiration': 600, 'user': <Storage {'username': 123456789,
> 'registration_key': '', 'incorrect_login_count': 0, 'email':
> 'aditya.sa...@gmail.com', 'reset_password_key': '',
> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
> 'password':
> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90 
> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
> 'account_locked': False, 'id': 1}>, 'last_visit':
> datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False}
>
> >}>
>
> Login 2:
> ------------
> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
> bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634-
> b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
> b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f-
> be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600,
> 'user': <Storage {'username': 123456789, 'password':
> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90 
> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
> 'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '',
> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
> 'registration_key': '', 'account_locked': False, 'email':
> 'aditya.sa...@gmail.com'}>, 'last_visit': datetime.datetime(2010, 4,
> 19, 11, 20, 1, 154791), 'remember': False}>}>
>
> Now I have set expiration auth.settings.expire=600 . Now someone
> reviewing security of my application said that having the same session
> id can allow someone to "hijack" the session. How can I cause a
> completely different session id for a user after every new login?
>
> Sorry my knowledge of this is quite limited. Would appreciate any
> insights here.
>
> Thanks,
> Aditya
>
> --
> Subscription settings:http://groups.google.com/group/web2py/subscribe?hl=en

Reply via email to