[nycphp-talk] Session security: protecting against hijacking attempts POSSIBLE SOLUTION
csnyder
chsnyder at gmail.com
Wed Dec 22 13:47:40 EST 2004
> md5sum of the useragent+ip address+seconds since last request.
> All three values are known entities to both the client and the server
Not true -- my client seldom knows what IP address the server will
see, because I'm behind a NATing router.
Also, if you think this through it doesn't prevent a man-in-the-middle
attack. MITM knows all of this info, and has a copy of the javascript
required to generate the id.
SSL is the only way to prevent session hijacking in all cases.
More information about the talk
mailing list