[ic] IPs that change with every access

Peter peter at pajamian.dhs.org
Sun Jun 24 19:52:19 EDT 2007

On 06/24/2007 03:11 PM, Grant wrote:
>> >> That said, without changing the IC configuration, I have tested this
>> >> situation by modifying the cookie in my browser, so that the IP
>> address
>> >> part no longer matches my actual IP address.  As long as the
>> session ID
>> >> part is constant Interchange does not seem to mind, and the session
>> >> behaves normally, all the way through checkout.
>> >
>> > Which does introduce the possibility of session-hijacking.
>> > Creating larger session ID's can make that more difficult.
>> IC does check the IP address if the session is not cookie based, so
>> spoofing the cookie would be required to hijack the session, unless
>> someone can guess the session ID of someone else on the same IP (think a
>> NAT situation such as a cyber cafe) or you disable or weaken IP checking
>> via one of the config directives mentioned by Kevin earlier.
> So for cookie users, the IP address is not used to validate the
> session and the changing IP won't matter?

That is my understanding, though I can't say it authoritatively because
that section of the code is rather difficult to follow.

Hopefully someone else will verify.


More information about the interchange-users mailing list