What does everyone think of the idea of noting the IP address in the
session so that session hijackers identified if they try to steal a
session that has a different IP address from their own?
Are there any drawbacks to this method? Nobody can spoof an IP address
and still get back the
Adam,
What does everyone think of the idea of noting the IP address in the
session so that session hijackers identified if they try to steal a
session that has a different IP address from their own?
Are there any drawbacks to this method? Nobody can spoof an IP address
and still get back the
I think they can and you'll break AOL users. AOL and other large entities
sometimes employ megaproxies where the user might appear to be coming from
different ip addresses.
The guaranteed way to prevent session hijacking is by using ssl. (And making
sure your site is not victim to css attacks)
On 10/28/2003 12:06 PM Tim Funk wrote:
I think they can and you'll break AOL users. AOL and other large
entities sometimes employ megaproxies where the user might appear to be
coming from different ip addresses.
OK I guess if I write a filter to reject requests where the IP address
doesn't
On 10/28/2003 12:06 PM Tim Funk wrote:
I think they can and you'll break AOL users. AOL and other large
entities sometimes employ megaproxies where the user might appear to be
coming from different ip addresses.
The guaranteed way to prevent session hijacking is by using ssl. (And
making sure
On Tue, Oct 28, 2003 at 13:23:43 +0100, Adam Hardy wrote:
On 10/28/2003 12:06 PM Tim Funk wrote:
I think they can and you'll break AOL users. AOL and other large
entities sometimes employ megaproxies where the user might appear to be
coming from different ip addresses.
The guaranteed way
IIRC, AOL users can use any web browser.
-Tim
Adam Hardy wrote:
OK I guess if I write a filter to reject requests where the IP address
doesn't match the one in the session, then I can always make an
exception for AOL browsers - assuming I can identify them from the
browser user-agent or the
On 10/28/2003 01:30 PM Frode E. Moe wrote:
On Tue, Oct 28, 2003 at 13:23:43 +0100, Adam Hardy wrote:
BTW, what are css attacks?
Cross-site scripting attack. If an attacker can put text into your
application which are echoed back verbatim within the HTML source for
different users, the attacker
.
Regards,
Morgan
-Original Message-
From: Adam Hardy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 13:23
To: Tomcat Users List
Subject: Re: session hijacking and tying session to IP
address with filter
On 10/28/2003 12:06 PM Tim Funk wrote:
I think they can
On 10/28/2003 01:49 PM Morgan Pyne wrote:
And I actually find it a bit disturbing that in this day and age of somebody would
be called anal about security for simply implementing their website
via SSL :-) - I would consider this to be a minimum requirement and only the first
step for any
10 matches
Mail list logo
