tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject session hijacking and tying session to IP address with filter
Date Tue, 28 Oct 2003 08:42:09 GMT
What does everyone think of the idea of noting the IP address in the 
session so that session hijackers identified if they try to steal a 
session that has a different IP address from their own?

Are there any drawbacks to this method? Nobody can spoof an IP address 
and still get back the response, can they?


struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message