On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote:
> session id). Authentication of subesequent pages is assumed only if the
> client's IP address matches the IP address stored in the session variable
> corresponding to the client's session.
> Is this secure? If not, why not?

It's not a question of whether it's secure or not, in any kind of environment
with distributed proxies, it just plain won't work.

A more useful fix is to not allow arbitrary sessionids to be created, and
generate the state on login, and destroy it on logout. There may be a
condition I've missed with this, but I'm not sure.


Matthew Byng-Maddick         <[EMAIL PROTECTED]>           http://colondot.net/

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to