Very true. I also filtered IPs a little, checked some headers and such..... but I didn't
store the user agent. That's an interesting idea!...the original problem is solved...
but its fun to keep talking.
I think I'm going to have to try out Orion sometime.... I hope its better than Tomcat!
Three of my friends are trying to get me onto JBoss, but I don't like the name. The name
reminds me of Boss Hogg? from the Dukes of Hazard.
Curt Sampson wrote:
> On Sun, 29 May 2005, Paul wrote:
>
> > To make the session unhijackable on a handset check the Handset ID
> > and use it to make the secret code that indicates a session.
>
> Handset IDs can be faked, unless you're also checking the source of the
> request to make sure that it's, e.g., one of the known Docomo proxy
> servers. As well, note that if you request the handset ID to be sent,
> it's going to prompt the user to make sure that that's ok. You certainly
> don't want this happening on every page!
>
> A less costly check is just to store other header information, such as
> the User-agent, when starting a session, and if that information changes
> during the session, invalidate the session. It's not a perfect check,
> but it will stop casual (and usually accidental) session sharing when
> someone sends a URL to someone else, and will make it a bit more work
> for a malicious attacker.
>
> cjs
> --
> Curt Sampson <cjs@cynic.net> +81 90 7737 2974
>
> *** Contribute to the Keitai Developers' Wiki! ***
> *** http://www.keitai-dev.net/wiki/ ***
>
> This mail was sent to address paul@thetamusic.com
> Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/
--
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*F=m(dv/dt)
Paul B. Lester
thetamusic.com(有)
Chief Engineer
EMAIL: paul@thetamusic.com
--
http://www.thetamusic.com/
personal homepage: http://www.purplepaul.com/
personal EMAIL: pbl1@cornell.edu
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*F=m(dv/dt)
Received on Mon May 30 05:29:27 2005