By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,471 Members | 711 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,471 IT Pros & Developers. It's quick & easy.

Regarding Session Security

P: n/a
I've been delving into persistent sessions more, and I'm just wondering...
To prevent session-snatching (by someone else using the same session ID),
would putting the IP address as a session variable, and checking that on
every page, be an effective deterrent? This still allows for IP spoofing,
but anyone going that far can have it, as far as I care.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
FLEB <so*********@mmers.and.evil.ones.will.bow-down-to.us> writes:
I've been delving into persistent sessions more, and I'm just wondering...
To prevent session-snatching (by someone else using the same session ID),
would putting the IP address as a session variable, and checking that on
every page, be an effective deterrent? This still allows for IP spoofing,
but anyone going that far can have it, as far as I care.


Whether the check you describe would be reliable and effective
depends on your environment. Do your users have a 1:1 mapping with
IP addresses? Does a particular user always use the same IP address?
These conditions may be true in certain environments, but they're
not true on the Internet.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.