On Thursday 14 August 2003 8:06 am, Joelle Nebbe wrote: > What i do is store both the remote IP and the user agent HTTP parameters in > the session when the session is created. Whenever a new request comes in > with that session I check that those havent changed.
So, you don't care about AOL users then? They can change IPs on every request as they get routed between proxies. > I also check referrer to make sure people are coming from a page that makes > sense. Not much of a barrier to anyone who cares enough to bother coding up a cross-site scripting attack. > If you need even better security there's ssl, or storing unique, > random'challenge-response' style tokens into pages that have to be sent > back on the next connection That's an idea. You could try making every cookie good for only one use, and send a new one out every time. Ultimately though, I think the answer is that sites with sensitive information can't leave themselves open to CSS attacks. - Perrin