Joe Breeden wrote: > > How does this work in an environment with two (or more) computers with the > exact same configuration, and probably the same HTTP_USER_AGENT behind the > same proxy? How do you know that one user isn't using another users session?
you don't. the session hijacker still would need to know the real user's username, password, and HTTP_USER_AGENT configuration. my point was that this solves the problem of using the ip address in the md5 hash when the client is behind a proxy server.