Full Disclosure mailing list archives
Re: defense against session hijacking
From: "Gary E. Miller" <gem () rellim com>
Date: Mon, 17 Nov 2003 13:45:12 -0800 (PST)
Yo Thomas!
Some ISPs like AOL use ganged proxies/caches. You may get the same session
from different proxies as they round robin.
Overly agressive web caches are a big problem for web apps.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Mon, 17 Nov 2003, Thomas M. Duffey wrote:
Isn't it good defense for a programmer to store the IP address of the client when the session is initiated, and then compare that address against the client for each subsequent request, destroying the session if the address changes?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- defense against session hijacking Thomas M. Duffey (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Ron DuFresne (Nov 19)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking Frank Knobbe (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- Re: defense against session hijacking David Maynor (Nov 17)
- Re: defense against session hijacking Damian Gerow (Nov 17)
- window hiding sir kaber (Nov 17)
- Re: defense against session hijacking |reduced|minus|none| (Nov 17)
- Re: defense against session hijacking Gary E. Miller (Nov 17)
- Re: defense against session hijacking Scott Taylor (Nov 17)
- Re: defense against session hijacking Bill Pennington (Nov 17)