Olaf, On 1/11/16 4:12 PM, Olaf Kock wrote: > Well, at least you do a bit of protection instead of just disabling the > session fixation security filter. However, be aware that potentially > many people might come from the same IP address - either because it's a > NATing home router or a big company's proxy server. Especially if you > want to attack someone who's in the same network as yourself, this > IP-based protection is quite useless.
The primary example of this not working is America Online (which really does still exist). I haven't checked recently, but for quite a long time, they would proxy everybody through a small set of servers -- millions of users all appearing to have the same IP address. Restricting a login to a single IP address (e.g. like Bugzilla can do)? That does actually make some sense since it doesn't harm anyone and merely fails to add protection to AOL users and others users in a similar situation. But making IP address ~= session id? That will never work properly. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org