This has got nothing whatsoever to do with session fixation. It _has_ however, got something to do with security. In particular, with authentication.
[Moderator's note: Actually, it seems to have everything to do with session fixation. --Perry] I may be ignorant about a few things but I'm learning fast, and I still think the following question is worth my asking (and someone answering) because I'm actually thinking of using this idea on a real web site. At the very least, it seems to me that it ought to be more secure than NOT tracking the IP. > I've come up with a (very simple) defence against session hijacking and so > on. It's probably flawed (I admit I'm not an expert on these things), so if > someone could please tell me why it won't work, I'd be very grateful. > > When the user logs in, the server stores the client's IP address in a > session variable (so it's stored at the server end - the client just gets a > session id). Authentication of subesequent pages is assumed only if the > client's IP address matches the IP address stored in the session variable > corresponding to the client's session. > > Is this secure? If not, why not? Jill > [Moderator's Note: you might want to read the original paper again. It I didn't receive the rest of this moderator's note so I don't know what it was going to say. My apologies for not having changed the subject line from "RE: Session Fixation Vulnerability in Web Based Apps", and for not making it clear that this is a different and unrelated thread. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
