Re[7]: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
From: Maxim D. <max...@bo...> - 2002-12-02 10:59:52
|
Hello Richard, Monday, December 02, 2002, 1:35:36 PM, you wrote: >>Well, I know that. But it does not resolve the session hijack issue. RA> Well, using IP address is not a viable solution in any case. RA> Too many ISPs run load balancing proxy servers. Mine for instance :) The check mentioned affects only cookieless clients with changing IP (if they change ip several times during the session, providing SID in url or POST body only). I suppose we could also check X-Forwarded-For ... In any case, a possibility to avoid session hijacks should be added, IMCO. The only marker I could see by now is the user's IP address - everything else is even less reliable. -- Best regards, Maxim Derkachev mailto:max...@bo... IT manager, Symbol-Plus Publishing Ltd. phone: +7 (812) 324-53-53 www.books.ru, www.symbol.ru |