Hi Adam, Tying sessions to a particular IP address would be bad for more than just AOL users. It is very common in corporations and organisations to have multiple proxy servers/virus scanners through which client HTTP requests are 'round-robbined' or load-balanced. Each HTTP request will thus appear to come from a different IP address. This is perfectly valid in HTTP since it is a stateless protocol, however time and time again I come across sites which try to impose an aritificial 'session' connection between HTTP requests and their source IP addresses, breaking access for many users.
And I actually find it a bit disturbing that in this day and age of somebody would be called "anal" about security for simply implementing their website via SSL :-) - I would consider this to be a minimum requirement and only the first step for any website remotely interested in security. Regards, Morgan > -----Original Message----- > From: Adam Hardy [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 13:23 > To: Tomcat Users List > Subject: Re: session hijacking and tying session to IP > address with filter > > > On 10/28/2003 12:06 PM Tim Funk wrote: > > I think they can and you'll break AOL users. AOL and other large > > entities sometimes employ megaproxies where the user might > appear to be > > coming from different ip addresses. > > OK I guess if I write a filter to reject requests where the > IP address > doesn't match the one in the session, then I can always make an > exception for AOL browsers - assuming I can identify them from the > browser user-agent or the IP address range. > > As Christopher says I guess I can do security reviews at regular > intervals to see if it's a problem. > > > The guaranteed way to prevent session hijacking is by using > ssl. (And > > making sure your site is not victim to css attacks) > > I can't see using SSL for whole session being acceptable - perhaps > generally the public usage will go this way, but at the moment that > would just be giving fuel to some web-site reviewer to > criticise my site > for being over-anal about security. Plus it actually would be > anal - I > don't need to protect from session hijacking so badly that I > encrypt the > whole lot. > > > > Adam > > -- > struts 1.1 + tomcat 5.0.12 + java 1.4.2 > Linux 2.4.20 RH9 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
