The session ID is only unique between your web browser and your application.
Try this test using two different web browsers.
--
Thadeus
On Mon, Apr 19, 2010 at 1:21 AM, Adi <aditya.sa...@gmail.com> wrote:
> Update:
>
> This seems to work in user():
>
> if request.args(0) == 'login':
> session.clear()
>
> Am I doing something wrong or unnecessary?
>
> On Apr 19, 10:57 am, Adi <aditya.sa...@gmail.com> wrote:
>> Hi all,
>>
>> In my application, the session id seems to be getting re-used across
>> different sessions.
>>
>> To explain:
>>
>> Login 1:
>> -----------
>> print str(session) on user/logout shows the following:
>>
>> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
>> bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d-
>> e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
>> b92d2da1b023', '_formkey[job_create]':
>> 'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth':
>> <Storage {'expiration': 600, 'user': <Storage {'username': 123456789,
>> 'registration_key': '', 'incorrect_login_count': 0, 'email':
>> 'aditya.sa...@gmail.com', 'reset_password_key': '',
>> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
>> 'password':
>> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90
>> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
>> 'account_locked': False, 'id': 1}>, 'last_visit':
>> datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False}
>>
>> >}>
>>
>> Login 2:
>> ------------
>> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8-
>> bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634-
>> b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11-
>> b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f-
>> be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600,
>> 'user': <Storage {'username': 123456789, 'password':
>> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90
>> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93',
>> 'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '',
>> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13),
>> 'registration_key': '', 'account_locked': False, 'email':
>> 'aditya.sa...@gmail.com'}>, 'last_visit': datetime.datetime(2010, 4,
>> 19, 11, 20, 1, 154791), 'remember': False}>}>
>>
>> Now I have set expiration auth.settings.expire=600 . Now someone
>> reviewing security of my application said that having the same session
>> id can allow someone to "hijack" the session. How can I cause a
>> completely different session id for a user after every new login?
>>
>> Sorry my knowledge of this is quite limited. Would appreciate any
>> insights here.
>>
>> Thanks,
>> Aditya
>>
>> --
>> Subscription settings:http://groups.google.com/group/web2py/subscribe?hl=en
>
