Another way would be to get the remote_host and put it in a cookie too
(encrypted/hashed) and compare it in further invocations - or hash it
and add it to the session ID itself.
Cheers, Anjo
Am 08.10.2008 um 14:20 schrieb Mike Schrag:
So, my question now becomes: Where can I intercept the creation of
the session cookie and make sure it is secure before sending it to
the user?
I read that session hijacking article a week or so ago and was
meaning to add in an override to Wonder ... sooo ... If you use
Wonder, you can checkout the latest commit where there is a new
ERXSession method:
/**
* Override and return true if you want secure-only session and
instance cookies. This prevents
* cookie hijacking man-in-the-middle attacks. Note that to make
this effective (and for sessions to
* work at all), your site must be behind HTTPS at all times. In
development mode, you can disable
* secure mode (@see er.extensions.ERXRequest.isSecureDisabled)
for running in direct-connect
* with this mode enabled.
*
* @return whether or not secure cookies are enabled
*/
public boolean useSecureSessionCookies() {
return false;
}
Returning true for this method will cause Wonder to convert your
session and instance cookies to be secure-only cookies before they
go out over the wire.
ms
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/anjo%40krank.net
This email sent to [EMAIL PROTECTED]
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
