[ic] IPs that change with every access
emailgrant at gmail.com
Sun Jun 24 18:11:44 EDT 2007
> >> That said, without changing the IC configuration, I have tested this
> >> situation by modifying the cookie in my browser, so that the IP address
> >> part no longer matches my actual IP address. As long as the session ID
> >> part is constant Interchange does not seem to mind, and the session
> >> behaves normally, all the way through checkout.
> > Which does introduce the possibility of session-hijacking.
> > Creating larger session ID's can make that more difficult.
> IC does check the IP address if the session is not cookie based, so
> spoofing the cookie would be required to hijack the session, unless
> someone can guess the session ID of someone else on the same IP (think a
> NAT situation such as a cyber cafe) or you disable or weaken IP checking
> via one of the config directives mentioned by Kevin earlier.
So for cookie users, the IP address is not used to validate the
session and the changing IP won't matter?
More information about the interchange-users