In theory an IP address can be faked or the attacker and victim might be behind the same NAT address, so it is not completely reliable.
Spring Security's SessionFixationProtectionFilter invalidates the session and creates a new one when the it detects that an authentication has taken place: http://www.owasp.org/index.php/Session_Fixation_in_Java On 24 May 2008, at 21:36, Axel Mendoza Pupo wrote: > What is doing session-fixation-protection??? > I resolved session fixation problem saving the ip address of > authenticated users, and a filter that always check if ipaddress of > the > request Is the same that I was save when the user succefully > authenticate. > Is this method insecure?? > I do this because I still use Acegi 1.0.4 and I never heard about > acegi > session-fixation-protection > > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer