The main reason Session ID-IP address correlation is infrequently used is due to changes in IP addresses; namely, the AOL Proxy (http://webmaster.info.aol.com/proxyinfo.html) makes this difficult for widespread, Internet-facing applications
Luke is right about IP spoofing, although this can still have some value since the attacker will not receive responses sent back from the server (unless they have successfully attacked the network/can sniff traffic sent to the victim). Hope this helps, Rohit Sethi Manager, Security Compass http://www.securitycompass.com Sun, May 25, 2008 at 7:36 PM, Luke Taylor <[EMAIL PROTECTED]> wrote: > In theory an IP address can be faked or the attacker and victim might > be behind the same NAT address, so it is not completely reliable. > > Spring Security's SessionFixationProtectionFilter invalidates the > session and creates a new one when the it detects that an > authentication has taken place: > > http://www.owasp.org/index.php/Session_Fixation_in_Java > > > On 24 May 2008, at 21:36, Axel Mendoza Pupo wrote: > >> What is doing session-fixation-protection??? >> I resolved session fixation problem saving the ip address of >> authenticated users, and a filter that always check if ipaddress of >> the >> request Is the same that I was save when the user succefully >> authenticate. >> Is this method insecure?? >> I do this because I still use Acegi 1.0.4 and I never heard about >> acegi >> session-fixation-protection >> >> > > -- > SpringSource > http://www.springsource.com > > Registered in England and Wales: No. 5187766 Registered Office: A2 > Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
