>> That said, without changing the IC configuration, I have tested this >> situation by modifying the cookie in my browser, so that the IP address >> part no longer matches my actual IP address. As long as the session ID >> part is constant Interchange does not seem to mind, and the session >> behaves normally, all the way through checkout. > > Which does introduce the possibility of session-hijacking. > Creating larger session ID's can make that more difficult. IC does check the IP address if the session is not cookie based, so spoofing the cookie would be required to hijack the session, unless someone can guess the session ID of someone else on the same IP (think a NAT situation such as a cyber cafe) or you disable or weaken IP checking via one of the config directives mentioned by Kevin earlier.
So for cookie users, the IP address is not used to validate the session and the changing IP won't matter? - Grant _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.