[nycphp-talk] Session security: protecting against hijacking attempts POSSIBLE SOLUTION
csnyder
chsnyder at gmail.com
Wed Dec 22 13:47:40 EST 2004
> md5sum of the useragent+ip address+seconds since last request.
> All three values are known entities to both the client and the server
Not true -- my client seldom knows what IP address the server will
see, because I'm behind a NATing router.
Also, if you think this through it doesn't prevent a man-in-the-middle
attack. MITM knows all of this info, and has a copy of the javascript
required to generate the id.
SSL is the only way to prevent session hijacking in all cases.
More information about the talk
mailing list
Automatic Email Organization without missing anything!