According to the security researchers who took over the torpig botnet
and analyzed the data (read the PDF, it's good), some ISPs still
change IP addresses a lot... more than once an hour:
On Wed, May 6, 2009 at 9:09 AM, Scott Ferguson <f...@caucho.com> wrote:
> On May 4, 2009, at 7:38 AM, Daniel Lopez wrote:
>> If Resin does not implement it itself, implementing a filter that
>> stores the IP in the session and checks on each request before passing
>> the request along should not be difficult. I don't know if Resin
>> already provides such a feature.
> Resin doesn't currently have that feature, so you'd need to use a
> filter. There used to be ISPs that changed client IPs randomly as
> part of their normal operation. AOL was the biggest. If that
> behavior has changed so basically everyone uses a single client IP, we
> can make it an option.
> -- Scott
>> S'està citant Rafael Escolar | Bookassist <rafael.esco...@bookassist.com
>>> Is there a way to force session to invalidate or not to be recognized
>>> if the client IP changes? This is a PCI requirement so that if a
>>> third obtains a valid session ID they cannot use it to re-establish
>>> the original session with the server.
>>> Based on tests I have run using resin 3.1.8, the default
>>> is seems that the session is maintained whenever the JSESSIONID
>>> contains a valid session id. In particular, I established a session
>>> with the resin3.1 server, then changed my client IP, then reconnected
>>> to the server and all session information was maintained.
>>> Thanks in advance.
>> resin-interest mailing list
> resin-interest mailing list
resin-interest mailing list