Session Fixation Vulnerability in Web Based Apps
Jill.Ramonsky at Aculab.com
Jill.Ramonsky at Aculab.com
Mon Jun 16 05:47:04 EDT 2003
I've come up with a (very simple) defence against session hijacking and so
on. It's probably flawed (I admit I'm not an expert on these things), so if
someone could please tell me why it won't work, I'd be very grateful.
When the user logs in, the server stores the client's IP address in a
session variable (so it's stored at the server end - the client just gets a
session id). Authentication of subesequent pages is assumed only if the
client's IP address matches the IP address stored in the session variable
corresponding to the client's session.
Is this secure? If not, why not?
Jill
[Moderator's Note: you might want to read the original paper again. It
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list