WebApp Sec mailing list archives
Re: AW: JRun: The Easiness of Session Fixation
From: Hannes Schmiderer <securityfocus.com_n () schmiderer cc>
Date: 2 Mar 2003 01:07:37 -0000
In-Reply-To: <BC075A4ACA1BE640BF9D9A80BEA93AC0021F9A () wsv01 d-con com>
I save the incoming ip address when the session is created. On each = request I compare the incoming ip address with the ip stored in the = session. If it does not match there is something foul.
Hi, This does not help always: If users are using the same proxy or are in the same private network the have all the same IP address. On the other hand, there are providers who do not only give new IP addresses per internet connection, but also per HTTP access. So they may have different IP addresses on consecutive page hits. For instance AOL is such a provider: http://webmaster.info.aol.com/proxyinfo.html
Current thread:
- AW: JRun: The Easiness of Session Fixation Javor Evstatiev (Mar 01)
- <Possible follow-ups>
- Re: AW: JRun: The Easiness of Session Fixation Hannes Schmiderer (Mar 01)