Re: Linking a cookie to an IP address is a very bad in 2015...

What about linking to several? I wrote a session system for my Web Server
that will only allow access to the original Session ID if the IP &
User-Agent has remained unchanged, in order to protect against session
hijacking. I've found it's highly effective, unless you IP Spoof.

On Wed, Apr 1, 2015 at 8:16 AM, Willy Tarreau <> wrote:

> On Wed, Apr 01, 2015 at 08:14:06AM -0700, Jim Manico wrote:
> > I think using the IP address for these purposes is fantastic - in
> intranet
> > environments where IP per user is static. :)
> That was my initial goal in 1999 until I realized that some clients were
> using DHCP and that it would not even work outside due to the so called
> "AOL effect" by then.
> Willy

Received on Wednesday, 1 April 2015 19:49:05 UTC