This has got nothing whatsoever to do with session fixation. It _has_
however, got something to do with security. In particular, with

[Moderator's note: Actually, it seems to have everything to do with
session fixation. --Perry]

I may be ignorant about a few things but I'm learning fast, and I still
think the following question is worth my asking (and someone answering)
because I'm actually thinking of using this idea on a real web site. At the
very least, it seems to me that it ought to be more secure than NOT tracking
the IP.

> I've come up with a (very simple) defence against session hijacking and so
> on. It's probably flawed (I admit I'm not an expert on these things), so
> someone could please tell me why it won't work, I'd be very grateful.
> When the user logs in, the server stores the client's IP address in a
> session variable (so it's stored at the server end - the client just gets
> session id). Authentication of subesequent pages is assumed only if the
> client's IP address matches the IP address stored in the session variable
> corresponding to the client's session.
> Is this secure? If not, why not?


> [Moderator's Note: you might want to read the original paper again. It

I didn't receive the rest of this moderator's note so I don't know what it
was going to say. My apologies for not having changed the subject line from
"RE: Session Fixation Vulnerability in Web Based Apps", and for not making
it clear that this is a different and unrelated thread.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to