On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote: > session id). Authentication of subesequent pages is assumed only if the > client's IP address matches the IP address stored in the session variable > corresponding to the client's session. > Is this secure? If not, why not?
It's not a question of whether it's secure or not, in any kind of environment with distributed proxies, it just plain won't work. A more useful fix is to not allow arbitrary sessionids to be created, and generate the state on login, and destroy it on logout. There may be a condition I've missed with this, but I'm not sure. MBM -- Matthew Byng-Maddick <[EMAIL PROTECTED]> http://colondot.net/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
