On Tue, 27 Jan 2009 08:26:12 -0500 Brian Mearns <bmearns@xxxxxxxx> wrote: > Sorry, this isn't strictly apache related, but this seems like a good > place to find HTTP expertise and insight. I'm just wondering if > ip-address-spoofing is of concern with HTTP in general? Specifically, > I'm using server side sessions and "authenticating" them against IP > address. Forget spoofing. Any correspondence of IP addresses to clients can never be taken as more than coincidence. > By this I mean I'm just verifying each time the session id is > sent by the client (in the query string or in a cookie) that it's from > the same IP-address as the one that initiated the session to make sure > someone hasn't hijacked another person's session. So anyone coming through a proxy pool is screwed. Do you explain that to them? -- Nick Kew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|