Much like we do on bugzilla and other places, the SSO session cookie should be valid for its original IP address only.
Component: Webdev → SSO
Product: mozilla.org → Webtools
This is fixed: http://github.com/mozilla/secret-squirrel/commit/85b5f61 Notes: - I used django-paranoid-sessions, which can do even more to ensure session safety than what we are using it for now. I only switched on remote IP checking, however. Michael, you might want to check out what else that package offers, for inspiration :). - I wrote a test that ensures an established session is logged out when the client IP changes. - I am using commonware's remote IP middleware to check the client IP vs. our load balancer's IP (which would be useless). - Ozten: You have to ``pip install -r requirements/dev.txt``.  http://github.com/rfk/django-paranoid-sessions/
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.