[nycphp-talk] Session security: protecting against hijacking attempts
csnyder
chsnyder at gmail.com
Wed Dec 15 15:55:50 EST 2004
As you said, SSL is the only way to be sure.
If I'm using your website through my evil neighbor's wireless access
point, and she decides to hijack my session, there is nothing we can
do about it. She'll probably duplicate my user-agent header, she has
the same ip address, and if she passes the same session cookie then
she *is* me, as far as your server can tell.
It used to be that a hijacker had to live inside the ISP to be able to
capture the packets -- but with wireless, anyone can play.
You can prevent inadvertant hijacking by requiring cookies.
Otherwise... good luck.
More information about the talk
mailing list