I've come up with a (very simple) defence against session hijacking and so on. It's probably flawed (I admit I'm not an expert on these things), so if someone could please tell me why it won't work, I'd be very grateful.
When the user logs in, the server stores the client's IP address in a session variable (so it's stored at the server end - the client just gets a session id). Authentication of subesequent pages is assumed only if the client's IP address matches the IP address stored in the session variable corresponding to the client's session. Is this secure? If not, why not? Jill [Moderator's Note: you might want to read the original paper again. It --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]