[ic] IPs that change with every access

Grant emailgrant at gmail.com
Sun Jun 24 18:11:44 EDT 2007

> >> That said, without changing the IC configuration, I have tested this
> >> situation by modifying the cookie in my browser, so that the IP address
> >> part no longer matches my actual IP address.  As long as the session ID
> >> part is constant Interchange does not seem to mind, and the session
> >> behaves normally, all the way through checkout.
> >
> > Which does introduce the possibility of session-hijacking.
> > Creating larger session ID's can make that more difficult.
> IC does check the IP address if the session is not cookie based, so
> spoofing the cookie would be required to hijack the session, unless
> someone can guess the session ID of someone else on the same IP (think a
> NAT situation such as a cyber cafe) or you disable or weaken IP checking
> via one of the config directives mentioned by Kevin earlier.

So for cookie users, the IP address is not used to validate the
session and the changing IP won't matter?

- Grant

More information about the interchange-users mailing list