On Tue, Jan 27, 2009 at 9:52 AM, Nick Kew <nick@xxxxxxxxxxxx> wrote: > On Tue, 27 Jan 2009 08:26:12 -0500 > Brian Mearns <bmearns@xxxxxxxx> wrote: >> By this I mean I'm just verifying each time the session id is >> sent by the client (in the query string or in a cookie) that it's from >> the same IP-address as the one that initiated the session to make sure >> someone hasn't hijacked another person's session. > > So anyone coming through a proxy pool is screwed. Do you explain > that to them? Hmm. I had considered the rare case that a dynamic IP address could change, in which case I would just make them re-authenticate before blowing away their session. But I guess if their address is changing every time, that's not really feasible. So basically what I'm coming to is that session's aren't completely insecure unless over HTTPS? -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx