- From: Walter H. <Walter.H@mathemainzel.info>
- Date: Sat, 04 Apr 2015 11:49:25 +0200
- To: Max Bruce <max.bruce12@gmail.com>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <551FB3A5.503@mathemainzel.info>
let me ask it different: where is the Session ID, is it part of a http-header, part of a html-header, a session-cookie, or is it part of the URL itself that is requested? the second: two ident configured hosts behind NAT do not differ neither in the user agent nor in the IP address; they only differ in the source TCP-port ... On 03.04.2015 09:13, Max Bruce wrote: > When you say transmitting from host to server, what do you mean? > And yes, if I understand what your asking. It effectively compiled a > random hash, and then enforced an IP & user agent. I have recently > removed the IP enforecement though. > > On Fri, Apr 3, 2015 at 12:10 AM, Walter H. <Walter.H@mathemainzel.info > <mailto:Walter.H@mathemainzel.info>> wrote: > > On 01.04.2015 21:48, Max Bruce wrote: >> What about linking to several? I wrote a session system for my >> Web Server that will only allow access to the original Session ID >> if the IP & User-Agent has remained unchanged, in order to >> protect against session hijacking. I've found it's highly >> effective, unless you IP Spoof. > what kind of mechanism do you use for transmitting the Session ID > from host to server? > does it prevent access from an ident configured but different host > behind a NAT? > >
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Saturday, 4 April 2015 09:49:51 UTC