On 06/24/2007 03:11 PM, Grant wrote: >> >> That said, without changing the IC configuration, I have tested this >> >> situation by modifying the cookie in my browser, so that the IP >> address >> >> part no longer matches my actual IP address. As long as the >> session ID >> >> part is constant Interchange does not seem to mind, and the session >> >> behaves normally, all the way through checkout. >> > >> > Which does introduce the possibility of session-hijacking. >> > Creating larger session ID's can make that more difficult. >> >> IC does check the IP address if the session is not cookie based, so >> spoofing the cookie would be required to hijack the session, unless >> someone can guess the session ID of someone else on the same IP (think a >> NAT situation such as a cyber cafe) or you disable or weaken IP checking >> via one of the config directives mentioned by Kevin earlier. > > So for cookie users, the IP address is not used to validate the > session and the changing IP won't matter? That is my understanding, though I can't say it authoritatively because that section of the code is rather difficult to follow. Hopefully someone else will verify. Peter _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.