hijacking? I thought of checking IP address on subsequent requests,
but apparently this cannot be relied on because of HTTP proxies etc.
but isn't better than nothing ?
I think a session should be from the same IP all it's life, and this
should be build into php. Internal networks will be seen
I think a session should be from the same IP all it's life, and this
should be build into php. Internal networks will be seen as the same
ip, so session can be stolen by somebody else in the same
internal net, but not from outside of it.
Now tell me what's wrong with my opinion, b/c it's
On 04 Jul 2001 19:34:03 +1000, Jason Murray wrote:
Now tell me what's wrong with my opinion, b/c it's too simple
to work :)
Four words: Load Balancing Proxy Servers.
I knew it! :)
So if someone on the net sees the URL and it has session id in it,
that session can be stolen?
--
Marius
Is there any real way to protect against possibility of session
hijacking? I thought of checking IP address on subsequent requests,
but apparently this cannot be relied on because of HTTP proxies etc.
Any wizdom on the matter? (I'm already saving the session files in a
directory protected from
4 matches
Mail list logo
