You could log the IP address with the user userreferencevariable and then validate that they continue to match.
===== Original Message from [EMAIL PROTECTED] at 9/12/02 11:56 am >If you're running a secure application it's a good idea to check the referer >on every hit, and if it's not from your site, then purge the user scope and >call your login method. This helps to prevent people from hacking your forms >and changing values. If your application is structured to use a main taf or >tml file, or uses a common initialization method, then your code needs to be >in one place only. This won't guarantee security by itself however as a good >hacker can spoof a referer. > >Dave. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Bill Downall >Sent: Thursday, September 12, 2002 1:37 PM >To: Multiple recipients of list witango-talk >Subject: Re: Witango-Talk: Preventing Session hijacking > > >I do this most of the time. (Of course, it is helpful to spell >UserReference correctly:-)) A page can still be hacked, but the hacker >has to view the source, and won't find the arguments in the url history. > >Bill > >On Thu, 12 Sep 2002 10:14:26 -0700, Atrix Wolfe wrote: > >>i have a silly idea that just might work... >> >>what if instead of passing the user referance argument on the >command line, >>you put this on all your forms: >> >><intput name=UserReferance type=hidden >value="<@USERREFERENCEARGUMENT>"> >> >>that way it is still being passed as an argument on every page, >except it is >>not being passed as a search arg, but as a post arg instead. >> > > > > > >________________________________________________________________________ >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > >________________________________________________________________________ >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
