Somewhat related, SCTP is a multi homed transport protocol. If it find a home in webapps, using IPs as IDs becomes harder. :-)
Sam On Mon, 2003-11-17 at 16:16, Thomas M. Duffey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi All, > > Sorry if this is common knowledge or regularly discussed; I'm fairly > new to the list. I see quite a few messages on this and other > security lists about session hijacking in Web applications. Isn't it > good defense for a programmer to store the IP address of the client > when the session is initiated, and then compare that address against > the client for each subsequent request, destroying the session if the > address changes? Do many programmers really overlook this simple > method to protect against such an attack? It's not perfect but should > significantly increase the difficulty of such an attack with little or > no annoying side effects for the legitimate user. Would it be useful > to extend the session modules of the common Web scripting languages > (e.g. PHP) to enable an IP address check by default? > > Best Regards, > > - -- > :: t h o m a s d u f f e y > :: h o m e b o y z i n t e r a c t i v e > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQE/uTrH8fKWAp8CzDARAhyOAJ9kXkkiUERgEVRWhH5GtGACTKA1hwCfak+7 > KsyUSQG+iAcPVxX3BIdTTRc= > =9f2R > -----END PGP SIGNATURE----- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
