Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
BlueDragon Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 64
Product ServletExec
Category Session Tracking
Question I'm concerned about hackers being able to calculate a valid session id. What can I do to protect against this?
Answer First you should use SSL to protect against packet sniffing. Then you should do the following:

  1. When a session is created, add the IP address of the client to the session.

  2. On subsequent requests make sure the IP address of the client for the request matches the IP address of the client stored in the session.

This way the hacker would not only need to calculate a valid session id but also determine the IP address of the client for that session id.

NOTE: this solution won't work well with web servers that run behind a proxy server since in this case the client IP address will be the same for all requests.



   
company media information terms of use privacy policy contact us