[Gllug] IP address changes
Alain Williams
addw at phcomp.co.uk
Sun Nov 26 20:17:15 UTC 2006
On Sun, Nov 26, 2006 at 06:00:24PM +0000, John G Walker wrote:
>
>
> On Sun, 26 Nov 2006 17:44:05 +0000 Alain Williams <addw at phcomp.co.uk>
> wrote:
>
> > a man-in-the-middle could steal the cookie & use it to pretend to be
> > the logged in user.
>
> If he could do this, he could presumably also issue a fake IP address,
Yes - but getting the routing back would be interesting ... those packets
intended for him vs those for the user.... hmmm, but I suppose that this
is exactly what a natting firewall will do .... yes, you are right,
it may not add much.
OK: let's turn the question around: is it worth protecting against session
hijacking, if so how to do it ? I don't want the cost of https.
The sessions that I use are PHP ones where the PHPSESSID cookie contains
a large random number that is used to identify the cookie.
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list