NAT'd IP's Re: [Seaside] Seaside session stealing

Randal L. Schwartz merlyn at
Wed Apr 22 01:01:19 UTC 2009

>>>>> "Nevin" == Nevin Pratt <nevin at> writes:

Nevin> 2. If we don't get a proper "remember me" cookie back from the user, then
Nevin> check to see if cookies are enabled in the user's browser.  If they are not
Nevin> even enabled, then default to an IP check-- if the IP is the same, consider
Nevin> that the session is NOT stolen.

Please don't make the mistake of presuming "ip == user".

You've already identified the case (behind a NAT) where many users share the
same IP, but consider also the "walled garden" of AOL users, where the same
user can come in from different IPs during a single session.

You must allow for that.

In general, IP-based checks are broken.  Don't rely on them.

Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at> <URL:>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See for Smalltalk and Seaside discussion

More information about the seaside mailing list