[13645] in cryptography@c2.net mail archive
RE: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (Jill.Ramonsky@Aculab.com)
Mon Jun 16 08:52:04 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Jill.Ramonsky@Aculab.com
To: cryptography@metzdowd.com
Date: Mon, 16 Jun 2003 10:47:04 +0100
I've come up with a (very simple) defence against session hijacking and so
on. It's probably flawed (I admit I'm not an expert on these things), so if
someone could please tell me why it won't work, I'd be very grateful.
When the user logs in, the server stores the client's IP address in a
session variable (so it's stored at the server end - the client just gets a
session id). Authentication of subesequent pages is assumed only if the
client's IP address matches the IP address stored in the session variable
corresponding to the client's session.
Is this secure? If not, why not?
Jill
[Moderator's Note: you might want to read the original paper again. It
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
