[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] defense against session hijacking
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] defense against session hijacking
- From: Bartlomiej Frackiewicz <bf@open-medium.com>
- Date: 18 Nov 2003 15:50:09 +0100
Hi,
Am Mon, 2003-11-17 um 22.16 schrieb Thomas M. Duffey:
> method to protect against such an attack? It's not perfect but should
> significantly increase the difficulty of such an attack with little or
> no annoying side effects for the legitimate user. Would it be useful
> to extend the session modules of the common Web scripting languages
> (e.g. PHP) to enable an IP address check by default?
why you don't force session handling with cookies and set session
lifetime to 20mins (or so)?
Bart
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html