tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: session hijacking and tying session to IP address with filter
Date Tue, 28 Oct 2003 11:06:25 GMT
I think they can and you'll break AOL users. AOL and other large entities 
sometimes employ megaproxies where the user might appear to be coming from 
different ip addresses.

The guaranteed way to prevent session hijacking is by using ssl. (And making 
sure your site is not victim to css attacks)

-Tim

Adam Hardy wrote:

> What does everyone think of the idea of noting the IP address in the 
> session so that session hijackers identified if they try to steal a 
> session that has a different IP address from their own?
> 
> Are there any drawbacks to this method? Nobody can spoof an IP address 
> and still get back the response, can they?
>  


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message