Re: [Resin-interest] Limiting session to a single IP for a given session_id
On May 4, 2009, at 7:38 AM, Daniel Lopez wrote: If Resin does not implement it itself, implementing a filter that stores the IP in the session and checks on each request before passing the request along should not be difficult. I don't know if Resin already provides such a feature. Resin doesn't currently have that feature, so you'd need to use a filter. There used to be ISPs that changed client IPs randomly as part of their normal operation. AOL was the biggest. If that behavior has changed so basically everyone uses a single client IP, we can make it an option. -- Scott S! D. S'està citant Rafael Escolar | Bookassist rafael.esco...@bookassist.com : Is there a way to force session to invalidate or not to be recognized if the client IP changes? This is a PCI requirement so that if a third obtains a valid session ID they cannot use it to re-establish the original session with the server. Based on tests I have run using resin 3.1.8, the default configuration is seems that the session is maintained whenever the JSESSIONID cookie contains a valid session id. In particular, I established a session with the resin3.1 server, then changed my client IP, then reconnected to the server and all session information was maintained. Thanks in advance. Rafa. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Limiting session to a single IP for a given session_id
According to the security researchers who took over the torpig botnet and analyzed the data (read the PDF, it's good), some ISPs still change IP addresses a lot... more than once an hour: http://www.cs.ucsb.edu/~seclab/projects/torpig/ Jeff On Wed, May 6, 2009 at 9:09 AM, Scott Ferguson f...@caucho.com wrote: On May 4, 2009, at 7:38 AM, Daniel Lopez wrote: If Resin does not implement it itself, implementing a filter that stores the IP in the session and checks on each request before passing the request along should not be difficult. I don't know if Resin already provides such a feature. Resin doesn't currently have that feature, so you'd need to use a filter. There used to be ISPs that changed client IPs randomly as part of their normal operation. AOL was the biggest. If that behavior has changed so basically everyone uses a single client IP, we can make it an option. -- Scott S! D. S'està citant Rafael Escolar | Bookassist rafael.esco...@bookassist.com : Is there a way to force session to invalidate or not to be recognized if the client IP changes? This is a PCI requirement so that if a third obtains a valid session ID they cannot use it to re-establish the original session with the server. Based on tests I have run using resin 3.1.8, the default configuration is seems that the session is maintained whenever the JSESSIONID cookie contains a valid session id. In particular, I established a session with the resin3.1 server, then changed my client IP, then reconnected to the server and all session information was maintained. Thanks in advance. Rafa. ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
[Resin-interest] Limiting session to a single IP for a given session_id
Is there a way to force session to invalidate or not to be recognized if the client IP changes? This is a PCI requirement so that if a third obtains a valid session ID they cannot use it to re-establish the original session with the server. Based on tests I have run using resin 3.1.8, the default configuration is seems that the session is maintained whenever the JSESSIONID cookie contains a valid session id. In particular, I established a session with the resin3.1 server, then changed my client IP, then reconnected to the server and all session information was maintained. Thanks in advance. Rafa.___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest