WebApp Sec mailing list archives
Re: How can i protect against session hijacking?
From: Robin Wood <dninja () gmail com>
Date: Sat, 28 Mar 2009 22:43:16 +0000
2009/3/28 Marco M. Morana <marco.m.morana () gmail com>:
2) Using remote IP for validation. This is all cons. IP address can be spoofed easily. Also if you use this as a form of authentication as machine tagging you will be defeated by an attacker using a proxy in the middle to hide the source IP address. You should never rely on this form of authentication, except maybe for internal low risk applications
I can understand how with a mitm attack you can spoof your IP but remotely I wouldn't say that it was easy. Having said this, I agree that relying on IP is a bad idea. Robin
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)