> Excuse my question if it seems dumb I'm not 100% on NAT and > proxies, but the Eagle book says to 1 Choose a secret, 2 Select fields to be > user for the MAC. It also suggests to use the remote IP address as one of > those fields. 3 Compute the MAC via a MD5 hash and store in the clients > browser. 4 On subsequent visits recompute the MAC and verify it matches the > original stored MAC. How is this reliable in a situation where many > similarly configured computers are behind a NAT/Proxy and one of the users > try to steal someone else's session by getting their cookie/session_id info?
Don't use the IP address in the cookie, just generate a unique ID of your own. I suggest using mod_unique_id. - Perrin
