Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

[Elihu Smails <elihusmails2000 () yahoo com>]

But you have already stored the IP address of the
attacker who created the session.  Therefore when the
victim connects to your web app, you do not allow them
in because the IP address does not match what is
currently stored in the session information.


--- "Sverre H. Huseby" <shh () thathost com> wrote:

> [Elihu Smails]
>
> |   Sessions should track the remote IP address of
> the client at a
> |   minimum, so that this problem could go away.
>
> Unfortunately, checking IP addresses won't solve the
> Session Riding /
> Web Trojan problem, as the request is coming from
> the victim's
> computer.
>
>
> Sverre.



                
__________________________________ 
Do you Yahoo!? 
Dress up your holiday email, Hollywood style. Learn more. 
http://celebrity.mail.yahoo.com