Issue 79: Documented issue with using ``include_ip`` in ``auth_tkt`` plugin.
See http://bugs.repoze.org/issue81 .
| | |
| | | After 1.0.13 |
| | | ============ |
| | | |
| | | - Documented issue with using ``include_ip`` setting in the ``auth_tkt`` |
| | | plugin. See http://bugs.repoze.org/issue81 . |
| | | |
| | | - Added 'passthrough_challenge_decider', which avoids re-challenging 401 |
| | | responses which have been "pre-challenged" by the application. |
| | | |
| | |
| | | *include_ip* is True, the ``REMOTE_ADDR`` of the WSGI environment |
| | | will be placed in the cookie. |
| | | |
| | | .. note:: |
| | | Using the *include_ip* setting for public-facing applications may |
| | | cause problems for some users. `One study |
| | | <http://westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf>`_ reports |
| | | that as many as 3% of users change their IP addresses legitimately |
| | | during a session. |
| | | |
| | | .. module:: repoze.who.plugins.basicauth |
| | | |
| | | .. class:: BasicAuthPlugin(realm) |