RE: [PHP] Protecting from session hijacking
On 04 Jul 2001 19:34:03 +1000, Jason Murray wrote: > > Now tell me what's wrong with my opinion, b/c it's too simple > > to work :) > > Four words: "Load Balancing Proxy Servers". I knew it! :) So if someone on the net sees the URL and it has session id in it, that session can be stolen? -- Marius Andreiana -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Protecting from session hijacking
> I think a session should be from the same IP all it's life, and this > should be build into php. Internal networks will be seen as the same > ip, so session can be stolen by somebody else in the same > internal net, but not from outside of it. > > Now tell me what's wrong with my opinion, b/c it's too simple > to work :) Four words: "Load Balancing Proxy Servers". Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Protecting from session hijacking
> hijacking? I thought of checking IP address on subsequent requests, > but apparently this cannot be relied on because of HTTP proxies etc. but isn't better than nothing ? I think a session should be from the same IP all it's life, and this should be build into php. Internal networks will be seen as the same ip, so session can be stolen by somebody else in the same internal net, but not from outside of it. Now tell me what's wrong with my opinion, b/c it's too simple to work :) -- Marius Andreiana -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]