You didn't mention the context. HTTPS just would help to avoid the spoofing of the id with a network sniffer. If you publish the session id to somebody that's a different thing.
Restricting the session to an IP is not a good idea at all. I don't think that you will find 'best practice' or 'How to' for this. > -----Original Message----- > From: Marc Hughes [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 27, 2004 5:31 PM > To: [EMAIL PROTECTED] > Subject: Re: Tomcat5 and url tracking hijacking > > > I don't see how https would help. Someone posting a url to a > newsgroup along the lines of either of these > > https://somesite/jsessionid=94823904823908432098 > http://somesite/jsessionid=94823904823908432098 > would still hijack the session, no? Could you elaborate on how ssl > would help? > > Cookie hijacking is far less likely since a user is very unlikely to > post their cookie data somewhere. An attacker would have to > guess the sessionID. The sessionID is securely generated so it can't easily be > predicted before hand (right?). > > I'm sure preventing multiple people from using the same session ID if > the url is emailed or posted is something lots of people > would like to > prevent. I would assume there are good ways of handling it and I'd > rather not reinvent the wheel. Are there any best-practices or > design patterns to guide someone? Maybe restricting url tracking > people to a certain ip range, or within a certain tolerance of other info > they send back (browser, some other signature, etc.)? > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
