IP地址与会话ID的绑定 [英] Binding of IP address with Session id
问题描述
为防止会话固定问题,我们如何将IP地址与会话ID绑定? 可以将会话ID与IP地址的ID绑定吗?
To prevent the session fixation problem, how can we bind the IP address with the session id? Is it possible to bind the session id with that of the IP address??
推荐答案
我认为这不是一个好主意.来自相同用户的后续请求可能不一定来自相同的IP地址,因为该请求可能来自不同的代理.对于所有AOL用户,IIRC曾经是这种情况,其他提供商或某些公司网络也可能是这种情况.
I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.
最好使用页面令牌保护会话,以防止劫机一个会话.
It is better to secure your session with page tokens to prevent highjacking a session.
这篇关于IP地址与会话ID的绑定的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!