[ic] IPs that change with every access
Peter
peter at pajamian.dhs.org
Sat Jun 23 21:47:00 EDT 2007
On 06/23/2007 04:02 PM, Gert van der Spoel wrote:
>> -----Original Message-----
>> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
>> users-bounces at icdevgroup.org] On Behalf Of Carl Bailey
>> Sent: zondag 24 juni 2007 1:52
>> To: interchange-users at icdevgroup.org
>> Subject: Re: [ic] IPs that change with every access
>>
>> That said, without changing the IC configuration, I have tested this
>> situation by modifying the cookie in my browser, so that the IP address
>> part no longer matches my actual IP address. As long as the session ID
>> part is constant Interchange does not seem to mind, and the session
>> behaves normally, all the way through checkout.
>
> Which does introduce the possibility of session-hijacking.
> Creating larger session ID's can make that more difficult.
IC does check the IP address if the session is not cookie based, so
spoofing the cookie would be required to hijack the session, unless
someone can guess the session ID of someone else on the same IP (think a
NAT situation such as a cyber cafe) or you disable or weaken IP checking
via one of the config directives mentioned by Kevin earlier.
Peter
More information about the interchange-users
mailing list