Re: AW: JRun: The Easiness of Session Fixation

[Hannes Schmiderer <securityfocus.com_n () schmiderer cc>]

In-Reply-To: <BC075A4ACA1BE640BF9D9A80BEA93AC0021F9A () wsv01 d-con com>

> I save the incoming ip address when the session is created. On each =
> request I compare the incoming ip address with the ip stored in the =
> session. If it does not match there is something foul.

Hi,
This does not help always: If users are using the same proxy or are in 
the same private network the have all the same IP address.

On the other hand, there are providers who do not only give new IP 
addresses per internet connection, but also per HTTP access. So they may 
have different IP addresses on consecutive page hits.

For instance AOL is such a provider: 
http://webmaster.info.aol.com/proxyinfo.html