I think they can and you'll break AOL users. AOL and other large entities sometimes employ megaproxies where the user might appear to be coming from different ip addresses.
OK I guess if I write a filter to reject requests where the IP address doesn't match the one in the session, then I can always make an exception for AOL browsers - assuming I can identify them from the browser user-agent or the IP address range.
As Christopher says I guess I can do security reviews at regular intervals to see if it's a problem.
The guaranteed way to prevent session hijacking is by using ssl. (And making sure your site is not victim to css attacks)
I can't see using SSL for whole session being acceptable - perhaps generally the public usage will go this way, but at the moment that would just be giving fuel to some web-site reviewer to criticise my site for being over-anal about security. Plus it actually would be anal - I don't need to protect from session hijacking so badly that I encrypt the whole lot.
Adam
-- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
