|
Posted by Jerry Stuckle on 06/12/07 03:19
Roman wrote:
> iktorn wrote:
>> howa napisał(a):
>>> 1. For example, without SSL, If I capture my local LAN packet and
>>> scanned the SESSION ID, is it possible to hijack the session?
>>>
>> unfortunately yes
>>
>>> 2. So any recommendation for web apps session handling without SSL?
>>>
>> - use very short session life time
>> - force user to login again before doing something important
>>
>
> How about caching the initiating IP during session creation? Unless
> potential hijacker is behind same NAT box, he will have have different
> IP and should not be able to hijack.
>
> Roman
And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|