IP 地址与会话 ID 的绑定 [英] Binding of IP address with Session id

问题描述

为了防止会话固定问题，我们如何将IP地址与会话ID绑定?是否可以将会话ID与IP地址绑定?

To prevent the session fixation problem, how can we bind the IP address with the session id? Is it possible to bind the session id with that of the IP address??

推荐答案

我不认为这是一个好主意.来自相同用户的后续请求可能不一定来自相同的 IP 地址，因为请求可能来自不同的代理.IIRC 过去所有 AOL 用户都是这种情况，其他提供商或某些公司网络也可能是这种情况.

I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.

最好使用页面令牌来保护您的会话以防止劫持一个会话.

It is better to secure your session with page tokens to prevent highjacking a session.

这篇关于IP 地址与会话 ID 的绑定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！