fliptop wrote: > Joe Breeden wrote: >> >> How does this work in an environment with two (or more) computers with the >> exact same configuration, and probably the same HTTP_USER_AGENT behind the >> same proxy? How do you know that one user isn't using another users session? > > you don't. the session hijacker still would need to know the real > user's username, password, and HTTP_USER_AGENT configuration.
The session hijacker would not need to know the username and password. They would only need to sniff the cookie from the network, and then send it from a client identifying itself as the same User Agent. > my point > was that this solves the problem of using the ip address in the md5 hash > when the client is behind a proxy server. This does not solve the problem: IP address of users behind Proxy is not unique. The User Agent is not unique either. Using User Agent solves nothing, and is in fact far less secure, since the client can set the User Agent header to be just about anything. At least the IP address has to be correct (but not unique) if the client wants to get a response.
