id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
362	Anonymous sessions should try to prevent session-stealing	jmcbray-django@…	Adrian Holovaty	"If a user can sniff (or guess) a session id, they can take over a user's session.

The simpler types of attempts to steal sessions can be prevented by gathering as much information as possible about the client when creating a session, and then verifying that that information hasn't changed on subsequent requests.  If it has, it should log a warning and log the user out.  A hash of REMOTE_ADDR and, if it exists, PROXY_FORWARDED_FOR is commonly used to prevent replay attacks like this.

This is easy enough to implement in the application, but it should probably be built into the framework.  A way of providing page tokens/nonces would also be useful, and this could be used to avoid sending session tokens to the client entirely.

Though this technically an RFE, I'm submitting it as severity normal, because the easiest way to do sessions should be secure by default."	defect	closed	Core (Other)		normal	fixed	sessions, security, authentication		Accepted	0	0	0	0	0	0