tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: session hijacking and tying session to IP address with filter
Date Tue, 28 Oct 2003 11:09:02 GMT
> What does everyone think of the idea of noting the IP address in the 
> session so that session hijackers identified if they try to steal a 
> session that has a different IP address from their own?
> Are there any drawbacks to this method? Nobody can spoof an IP address 
> and still get back the response, can they?

I know of at least one group that will get screwed: AOL users. (spare 
the jokes :)

No, really. I'm not sure if this is still the case, but I was working 
for a client that had a separate box running their application without a 
BigIP in front of it, simply because of their AOL users.

It seems that AOL playss games with their gateways and NAT configuration 
so that the same user can click around the web and appear to have a 
different source IP for every request. It's total madness and apparently 
BigIP couldn't make any sense of it, at least with the version they were 

This could be a major drawback.

What you might want to do is create a security log and simply log when 
the IP address changes for a session. You might find that either AOL no 
longer does this, or you have no AOL customers using your site. On the 
other hand, you can always do retrospective security audits.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message