The session ID is only unique between your web browser and your application.
Try this test using two different web browsers. -- Thadeus On Mon, Apr 19, 2010 at 1:21 AM, Adi <aditya.sa...@gmail.com> wrote: > Update: > > This seems to work in user(): > > if request.args(0) == 'login': > session.clear() > > Am I doing something wrong or unnecessary? > > On Apr 19, 10:57 am, Adi <aditya.sa...@gmail.com> wrote: >> Hi all, >> >> In my application, the session id seems to be getting re-used across >> different sessions. >> >> To explain: >> >> Login 1: >> ----------- >> print str(session) on user/logout shows the following: >> >> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- >> bcba-25bc46eac3ce', '_formkey[login]': '2af20030-f787-4623-851d- >> e823988a4df2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- >> b92d2da1b023', '_formkey[job_create]': >> 'c3325e1c-3f1d-409d-875b-240a8026f168', 'flash': None, 'auth': >> <Storage {'expiration': 600, 'user': <Storage {'username': 123456789, >> 'registration_key': '', 'incorrect_login_count': 0, 'email': >> 'aditya.sa...@gmail.com', 'reset_password_key': '', >> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), >> 'password': >> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90 >> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', >> 'account_locked': False, 'id': 1}>, 'last_visit': >> datetime.datetime(2010, 4, 19, 11, 18, 37, 417024), 'remember': False} >> >> >}> >> >> Login 2: >> ------------ >> <Storage {'_formkey[resources_create]': 'ce48911d-aed8-4fc8- >> bcba-25bc46eac3ce', '_formkey[login]': '9e0813ad-41f5-4c1d-8634- >> b6aa6dd6faf2', '_formkey[client_create]': 'd4f4a845-f6e1-403a-9e11- >> b92d2da1b023', '_formkey[job_create]': '1424bef4-2a3e-43d2-8a6f- >> be6d91098e88', 'flash': None, 'auth': <Storage {'expiration': 600, >> 'user': <Storage {'username': 123456789, 'password': >> '9db266ab73d140f31b9ba732110c956673c5c9de84918842fd5f3759206508ea437fd7ad90 >> 242cf185b52b0f0bc53593b408b729b735f2bb8305963de8386c93', >> 'incorrect_login_count': 0, 'id': 1, 'reset_password_key': '', >> 'last_password_change': datetime.datetime(2010, 4, 1, 15, 16, 13), >> 'registration_key': '', 'account_locked': False, 'email': >> 'aditya.sa...@gmail.com'}>, 'last_visit': datetime.datetime(2010, 4, >> 19, 11, 20, 1, 154791), 'remember': False}>}> >> >> Now I have set expiration auth.settings.expire=600 . Now someone >> reviewing security of my application said that having the same session >> id can allow someone to "hijack" the session. How can I cause a >> completely different session id for a user after every new login? >> >> Sorry my knowledge of this is quite limited. Would appreciate any >> insights here. >> >> Thanks, >> Aditya >> >> -- >> Subscription settings:http://groups.google.com/group/web2py/subscribe?hl=en >