|
Geert Jansen
geert at boskant.nl
Mon Jun 9 12:45:25 EST 2003
> On Sun, Jun 08, 2003 at 03:43:12PM -0600, Gre7g Luterman wrote: > > > Then get them to log in (and thus initiate that session), > then I can > > > hijack their session by using the same URL. At least > with cookies > > > it's much harder to get someone to install a cookie for a foreign > > > site on their browser. > > > > I suppose I didn't mention it, but I do test the remote IP address > > against the IP address recorded in the session pickle. > > That can cause trouble for people behind multiple, layer-4 > switched caches.. the remote IP will be different for > different requests.. > > That's rare, but it does happen. Something that will cause trouble with this too are on-demand dialing ISDN modems which usually have a hangup timeout of about 120 seconds. If the user stays idle for more than two minutes, the modem will hangup, then redial and get a different IP address. Geert
|