Re: Linking a cookie to an IP address is a very bad in 2015... from Walter H. on 2015-04-03 (ietf-http-wg@w3.org from April to June 2015)

From: Walter H. <Walter.H@mathemainzel.info>
Date: Fri, 03 Apr 2015 09:10:56 +0200
To: Max Bruce <max.bruce12@gmail.com>
CC: Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <551E3D00.5090501@mathemainzel.info>

On 01.04.2015 21:48, Max Bruce wrote:
> What about linking to several? I wrote a session system for my Web 
> Server that will only allow access to the original Session ID if the 
> IP & User-Agent has remained unchanged, in order to protect against 
> session hijacking. I've found it's highly effective, unless you IP Spoof.
what kind of mechanism do you use for transmitting the Session ID from 
host to server?
does it prevent access from an ident configured but different host 
behind a NAT?

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Friday, 3 April 2015 07:11:27 UTC