Re: session hijacking and tying session to IP address with filter

[Tim Funk]

I think they can and you'll break AOL users. AOL and other large entities 
sometimes employ megaproxies where the user might appear to be coming from 
different ip addresses.

The guaranteed way to prevent session hijacking is by using ssl. (And making 
sure your site is not victim to css attacks)

-Tim

Adam Hardy wrote:

What does everyone think of the idea of noting the IP address in the 
session so that session hijackers identified if they try to steal a 
session that has a different IP address from their own?

Are there any drawbacks to this method? Nobody can spoof an IP address 
and still get back the response, can they?
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]