RE: How can i protect against session hijacking?

["Martin O'Neal" <martin.oneal () corsaire com>]

> There are WAFs available on the market 
> that implement secure session handling...

LOL; thanks for the comment, but to paraphrase, you're basically
suggesting adding another technology to the mix (one that the client
will be unlikely to be familiar with, but will have to maintain both
from a platform and skills perspective), and rather than fixing the
application, you duplicate some functionality into the WAF, which
(unless you fix the XSS [in the WAF or application]) won't actually help
with the lost session ID anyway, as the attacker will be still running
mobile code in the users browser session, with access to everything that
the user has; source IP, cookies, blah-blah-blah.

Doesn't sound like a particularly ideal solution to the scenario to
me...

Martin...