gaznewt
08-05-2006, 05:35 AM
What are the implications of using a surfer's ip address as a measure against session hijacking?
I have a token I pass around from page to page in a cookie or the url if cookies are disabled. This identifies the session. I can add to this token the ip address from when the user logged on, if the ip address changes from one page to the next how safe is it for me to assume that someone has hijacked the session?
I know that proxies all use the same ip address so someone with the same networke internet access will have the same ip address and will be able to hijack the session.
I also know that when I log off from my isp and then back on I get a different ip address. But is it possible for a surfer's ip address to change at any time?
I have a token I pass around from page to page in a cookie or the url if cookies are disabled. This identifies the session. I can add to this token the ip address from when the user logged on, if the ip address changes from one page to the next how safe is it for me to assume that someone has hijacked the session?
I know that proxies all use the same ip address so someone with the same networke internet access will have the same ip address and will be able to hijack the session.
I also know that when I log off from my isp and then back on I get a different ip address. But is it possible for a surfer's ip address to change at any time?