That's a great point. What about User-Agent checking?
On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
> > What about linking to several? I wrote a session system for my Web Server
> > that will only allow access to the original Session ID if the IP &
> > User-Agent has remained unchanged, in order to protect against session
> > hijacking. I've found it's highly effective, unless you IP Spoof.
>
> Sure it's highly effective. Just like it's highly effective in randomly
> denying access to people who browse using multiple WiFi access point or
> who switch between 3G and WiFi.
>
> Willy
>
>