* Vincent van Scherpenseel <[EMAIL PROTECTED]> [2005-08-07 22:41 +0200]: > On Sunday 07 August 2005 20:27, Bipin Gautam wrote: > > > BUT, i remember testing it on PHPBB back then, i don't think you can > > take over the session on that! (i may be wrong). YAP, but there are > > LOTS of sites & applications out there from which you can easily steal > > away sessions. > > Well, if the client's IP address used for a given session is stored in a > session variable it's not possible to steal an active session from another > IP address. That's probably their way of working around this problem.
What if the attacker is behind the same proxy? Nicolas -- http://www.rachinsky.de/nicolas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
