httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject [users@httpd] IP-address spoofing a concern?
Date Tue, 27 Jan 2009 13:26:12 GMT
Sorry, this isn't strictly apache related, but this seems like a good
place to find HTTP expertise and insight. I'm just wondering if
ip-address-spoofing is of concern with HTTP in general? Specifically,
I'm using server side sessions and "authenticating" them against IP
address. By this I mean I'm just verifying each time the session id is
sent by the client (in the query string or in a cookie) that it's from
the same IP-address as the one that initiated the session to make sure
someone hasn't hijacked another person's session.

So my question is just whether or not someone could possibly spoof
their IP-address in an HTTP request? I believe they would not be able
to get a response from the server with a spoofed IP address, but if
they were, for instance, just trying to submit a form using someone
else's session, then they wouldn't require an HTTP response. However,
they would still need to participate in the TCP handshake, correct?

So it seems to me that ip-spoofing is NOT a concern for HTTP over TCP,
but I would like to hear from someone who actually knows or can offer
any additional insight.


Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message