On May 4, 2009, at 7:38 AM, Daniel Lopez wrote:
If Resin does not implement it itself, implementing a filter that
stores the IP in the session and checks on each request before passing
the request along should not be difficult. I don't know if Resin
already provides such a feature.
Resin
According to the security researchers who took over the torpig botnet
and analyzed the data (read the PDF, it's good), some ISPs still
change IP addresses a lot... more than once an hour:
http://www.cs.ucsb.edu/~seclab/projects/torpig/
Jeff
On Wed, May 6, 2009 at 9:09 AM, Scott Ferguson
Is there a way to force session to invalidate or not to be recognized
if the client IP changes? This is a PCI requirement so that if a
third obtains a valid session ID they cannot use it to re-establish
the original session with the server.
Based on tests I have run using resin 3.1.8, the
