WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to protect against cookie stealing?

From: Chris Green <cmg () sourcefire com>
Date: Fri, 25 Jul 2003 14:10:57 -0400
".:[ Death Star]:." <deathstar () optonline net> writes:


There is another solution, you can use both sessionID's and cookies, so
based on the IP address you would look for the cookie before giving the
user access control. The session ID will store 2 fields (example userid
and associated ip address) the cookie will hold other fields. And u can
use multiple sessions and multiple cookies that will be destroyed upon
opening another page.


Has anyone going down this route of incorporating an IP address into
the cookie gotten pushback from people on networks with multiple
proxies or routing rules?
-- 
Chris Green <cmg () sourcefire com>
Don't use a big word where a diminutive one will suffice.
Previous By Date Next
Previous By Thread Next

Current thread: