According to the security researchers who took over the torpig botnet and analyzed the data (read the PDF, it's good), some ISPs still change IP addresses a lot... more than once an hour:
http://www.cs.ucsb.edu/~seclab/projects/torpig/ Jeff On Wed, May 6, 2009 at 9:09 AM, Scott Ferguson <f...@caucho.com> wrote: > > On May 4, 2009, at 7:38 AM, Daniel Lopez wrote: > >> If Resin does not implement it itself, implementing a filter that >> stores the IP in the session and checks on each request before passing >> the request along should not be difficult. I don't know if Resin >> already provides such a feature. > > Resin doesn't currently have that feature, so you'd need to use a > filter. There used to be ISPs that changed client IPs randomly as > part of their normal operation. AOL was the biggest. If that > behavior has changed so basically everyone uses a single client IP, we > can make it an option. > > -- Scott > >> >> >> S! >> D. >> >> S'està citant Rafael Escolar | Bookassist <rafael.esco...@bookassist.com >> >: >> >>> Is there a way to force session to invalidate or not to be recognized >>> if the client IP changes? This is a PCI requirement so that if a >>> third obtains a valid session ID they cannot use it to re-establish >>> the original session with the server. >>> >>> Based on tests I have run using resin 3.1.8, the default >>> configuration >>> is seems that the session is maintained whenever the JSESSIONID >>> cookie >>> contains a valid session id. In particular, I established a session >>> with the resin3.1 server, then changed my client IP, then reconnected >>> to the server and all session information was maintained. >>> >>> Thanks in advance. >>> Rafa. >> >> >> >> ---------------------------------------------------------------- >> >> >> >> >> >> _______________________________________________ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
