RE: Re[7]: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: Re[7]: [Phplib-users] new Session4 changes
|
From: Rob H. <rob...@ws...> - 2002-12-02 15:02:02
|
Also, X-Forwarded for does not work reliably, probably less so than the IP address. Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Maxim > Derkachev > Sent: Monday, December 02, 2002 5:59 AM > To: Richard Archer > Cc: php...@li... > Subject: Re[7]: [Phplib-users] new Session4 changes > > > Hello Richard, > > Monday, December 02, 2002, 1:35:36 PM, you wrote: > >>Well, I know that. But it does not resolve the session hijack issue. > > RA> Well, using IP address is not a viable solution in any case. > RA> Too many ISPs run load balancing proxy servers. Mine for instance :) > > The check mentioned affects only cookieless clients with changing IP > (if they change ip several times during the session, providing SID in > url or POST body only). I suppose we could also check X-Forwarded-For ... > In any case, a possibility to avoid session hijacks should be added, > IMCO. The only marker I could see by now is the user's IP address - > everything else is even less reliable. > > > -- > Best regards, > Maxim Derkachev mailto:max...@bo... > IT manager, > Symbol-Plus Publishing Ltd. > phone: +7 (812) 324-53-53 > www.books.ru, www.symbol.ru > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > > |
