DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22679>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22679 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED ------- Additional Comments From [EMAIL PROTECTED] 2005-01-20 01:23 ------- good practice for such a anti-session-hijacking/anti-cross-site scripting is to implement a 2 out of 3 approach: i.e. SSL-session ID, remote IP and user-agent are compared between each http request and only if 2 out of 3 remain the same, the login-status is maintained. Not 3 out of 3 because quite some DSL-dynamic IP assignments change relatively frequently and users are annoyed if the have to re-authenticate often during a session. Similarly, some browsers do not keep an SSL session alive for the same duration as a application-user session may last. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
