On 04 Jul 2001 19:34:03 +1000, Jason Murray wrote:
> > Now tell me what's wrong with my opinion, b/c it's too simple
> > to work :)
>
> Four words: "Load Balancing Proxy Servers".
I knew it! :)
So if someone on the net sees the URL and it has session id in it,
that session can be stolen?
--
> I think a session should be from the same IP all it's life, and this
> should be build into php. Internal networks will be seen as the same
> ip, so session can be stolen by somebody else in the same
> internal net, but not from outside of it.
>
> Now tell me what's wrong with my opinion, b/c
> hijacking? I thought of checking IP address on subsequent requests,
> but apparently this cannot be relied on because of HTTP proxies etc.
but isn't better than nothing ?
I think a session should be from the same IP all it's life, and this
should be build into php. Internal networks will be see
3 matches
Mail list logo
