tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject session hijacking and tying session to IP address with filter
Date Tue, 28 Oct 2003 08:42:09 GMT
What does everyone think of the idea of noting the IP address in the 
session so that session hijackers identified if they try to steal a 
session that has a different IP address from their own?

Are there any drawbacks to this method? Nobody can spoof an IP address 
and still get back the response, can they?

Thanks
Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message