[ic] IPs that change with every access

Grant emailgrant at gmail.com
Sun Jun 24 20:56:56 EDT 2007

> >> >> That said, without changing the IC configuration, I have tested this
> >> >> situation by modifying the cookie in my browser, so that the IP
> >> address
> >> >> part no longer matches my actual IP address.  As long as the
> >> session ID
> >> >> part is constant Interchange does not seem to mind, and the session
> >> >> behaves normally, all the way through checkout.
> >> >
> >> > Which does introduce the possibility of session-hijacking.
> >> > Creating larger session ID's can make that more difficult.
> >>
> >> IC does check the IP address if the session is not cookie based, so
> >> spoofing the cookie would be required to hijack the session, unless
> >> someone can guess the session ID of someone else on the same IP (think a
> >> NAT situation such as a cyber cafe) or you disable or weaken IP checking
> >> via one of the config directives mentioned by Kevin earlier.
> >
> > So for cookie users, the IP address is not used to validate the
> > session and the changing IP won't matter?
> That is my understanding, though I can't say it authoritatively because
> that section of the code is rather difficult to follow.

I can verify that the session ID does not change along with the
changing IP.  Is that sufficient evidence that things are running

- Grant

More information about the interchange-users mailing list