In case you missed it earlier in this thread, this doesn't handle NAT (or anonymizers) where there isn't a one-to-one mapping of users to IP addresses.
>You could log the IP address with the user userreferencevariable and then >validate that they continue to match. > >===== Original Message from [EMAIL PROTECTED] at 9/12/02 11:56 am >>If you're running a secure application it's a good idea to check the referer >>on every hit, and if it's not from your site, then purge the user scope and >>call your login method. This helps to prevent people from hacking your forms >>and changing values. If your application is structured to use a main taf or >>tml file, or uses a common initialization method, then your code needs to be >>in one place only. This won't guarantee security by itself however as a good >>hacker can spoof a referer. >> >>Dave. >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED]]On Behalf Of Bill Downall >>Sent: Thursday, September 12, 2002 1:37 PM >>To: Multiple recipients of list witango-talk >>Subject: Re: Witango-Talk: Preventing Session hijacking >> >> >>I do this most of the time. (Of course, it is helpful to spell >>UserReference correctly:-)) A page can still be hacked, but the hacker >>has to view the source, and won't find the arguments in the url history. >> >>Bill >> >>On Thu, 12 Sep 2002 10:14:26 -0700, Atrix Wolfe wrote: >> >>>i have a silly idea that just might work... >>> >>>what if instead of passing the user referance argument on the >>command line, >>>you put this on all your forms: >>> >>><intput name=UserReferance type=hidden >>value="<@USERREFERENCEARGUMENT>"> >>> >>>that way it is still being passed as an argument on every page, >>except it is >>>not being passed as a search arg, but as a post arg instead. >>> >> >> >> >> >> >>________________________________________________________________________ >>TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] >> with unsubscribe witango-talk in the message body >> >>________________________________________________________________________ >>TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] >> with unsubscribe witango-talk in the message body > >________________________________________________________________________ >TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > Bill Conlon To the Point 345 California Avenue Suite 2 Palo Alto, CA 94306 office: 650.327.2175 fax: 650.329.8335 mobile: 650.906.9929 e-mail: mailto:[EMAIL PROTECTED] web: http://www.tothept.com ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
