No. It does not. Session IDs are only transferred via cookies.
On Tuesday, 24 July 2012 11:04:58 UTC-5, Andrew wrote: > > Could be a session fixation attack. Web2py doesn't ever use session id's > in the url does it? > > On Tuesday, July 24, 2012 11:00:30 AM UTC-5, Neil wrote: >> >> Here is what she told me: >> >> 1. She clicked a link (from Facebook), and was taken directly to one of >> the pages for logged in users. I think this was her first visit to the site. >> 2. She went back to Facebook, and re-clicked the link, and was again >> taken to a user page >> 3. She clicked the "Logout" link, and could no longer access user pages. >> She never tried to logon or register. >> >> Hardly seems possible to me, and I would have been very sceptical about >> the whole thing except that she told me the name of the other user (which >> she would have had no way of knowing). >> >> I'll send you a copy of the app. >> >> Neil >> >> On Tuesday, July 24, 2012 4:43:44 PM UTC+1, Massimo Di Pierro wrote: >>> >>> We will investigate this throughly but please get as much information as >>> possible about what this person was doing. Did he try login? Could you also >>> send me a copy of your app (confidentially)? >>> >>> The fact is even if there were a session conflict (I do not believe that >>> is possible unless uuid is broken) a client must request the session via a >>> cookie. A new user always gets assigned a new session id and therefore an >>> empty session. >>> >>> Trunk contains experimental code for sessions in cookies. That code does >>> not work yet. I am assuming you are not using that anyway. >>> >>> Trunk also contains a new password crypt handling. One version of it was >>> broken (nobody could login). We are testing that too. >>> >>> Massimo >>> >>> >>> >>> >>> >>> On Tuesday, 24 July 2012 07:18:45 UTC-5, Neil wrote: >>>> >>>> I just heard from someone who had never been to my site before. When >>>> she visited (on her phone), it was already logged on as another user. This >>>> other user (she told me his name) is located on the other side of the >>>> world, and may or may not have logged out. I'm rather worried - she was >>>> accessing functions decorated with @auth.requires_login() without even >>>> having an account, let alone logging in! Once she clicked "logout" she was >>>> no longer able to access any user pages. >>>> >>>> I understand this will be tough to debug with so little information. >>>> Furthermore, I've never observed this behaviour personally. However, it's >>>> concerning enough that I thought I'd see if anyone else >>>> has experienced such a thing. If not, any ideas how such a thing could >>>> even >>>> happen? >>>> >>>> I'm using trunk - I suppose I should roll back to stable? >>>> >>>> Neil >>>> >>>> --
