On Mon, Nov 17, 2003 at 03:16:55PM -0600, Thomas M. Duffey wrote: > Sorry if this is common knowledge or regularly discussed; I'm fairly > new to the list. I see quite a few messages on this and other > security lists about session hijacking in Web applications. Isn't it > good defense for a programmer to store the IP address of the client > when the session is initiated, and then compare that address against > the client for each subsequent request, destroying the session if the > address changes? Do many programmers really overlook this simple > method to protect against such an attack? It's not perfect but should > significantly increase the difficulty of such an attack with little or > no annoying side effects for the legitimate user. Would it be useful > to extend the session modules of the common Web scripting languages > (e.g. PHP) to enable an IP address check by default? >
This would break things like NATed machines and such. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
