I've come up with a (very simple) defence against session hijacking and so
on. It's probably flawed (I admit I'm not an expert on these things), so if
someone could please tell me why it won't work, I'd be very grateful.

When the user logs in, the server stores the client's IP address in a
session variable (so it's stored at the server end - the client just gets a
session id). Authentication of subesequent pages is assumed only if the
client's IP address matches the IP address stored in the session variable
corresponding to the client's session.

Is this secure? If not, why not?


[Moderator's Note: you might want to read the original paper again. It
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to