|
Session Hijacking
I am dealing with a situation where session has to maintained for a
person in network.but he is always facing problem .He has to give password again for logging in. problem is it is taking diffrenet IP address with every new request(as in network). how can i solve this problem by using some bits of ip address(192.168.11.10 etc.). Actully every time program read the ip address of system + session ID and creates a new string value of it and cross check that value with the value it gets at last with incoming reuest for tracing the original session.but as in network it takes different ip every time.Soat last mismatch happens.can by using some diffrent concept of using 8,16,24,32 any no of bits will solve this problem.I think google,yahoo works on concept where ip is not very important etc. Please give me some clues to proceed. Vijendra |
Re: Session Hijacking
vjmaker78@gmail.com wrote:
> I am dealing with a situation where session has to maintained for a > person in network.but he is always facing problem .He has to give > password again for logging in. > problem is it is taking diffrenet IP address with every new request(as > in network). > how can i solve this problem by using some bits of ip > address(192.168.11.10 etc.). > Actully every time program read the ip address of system + session ID > and creates a new string value of it and cross check that value with > the value it gets at last with incoming reuest for tracing the original > session.but as in network it takes different ip every time.Soat last > mismatch happens.can by using some diffrent concept of using 8,16,24,32 > any no of bits will solve this problem.I think google,yahoo works on > concept where ip is not very important etc. > Please give me some clues to proceed. It's not really clear. Are you saying you have to restore someone's session after he logs in from another machine? In that case serialize serialize your session information and save it somewhere every time it changes. This doesn't consider the case, of course, when two people are working at the same time with the same account |
Re: Session Hijacking
Here i am talking about a single person who when logs in through a
network gets the same messgae to give password again and again. This mechnism works well with session not been hijacked as it cross check the session value+ipaddress everytime when a request comes. It basically creates a new string value of(session+ipaddress) stores it.for cross checking. Network takes a new ip every time for a single person also for his every new request. an ultimately mismatch happens resulting in again asks for password every time. Its like every time program read the ip address of system + session ID and creates a new string value of it and cross check that value with the value it gets at last with incoming reqest for tracing the original session.but as in network it takes different ip every time.So at last mismatch happens. If you want further clarification can ask me more. Vj |
Re: Session Hijacking
> Network takes a new ip every time for a single person also for his
> every new request. > an ultimately mismatch happens resulting in again asks for password > every time. You mean something like: you have a web app that has a login screen, you log in, the IP is sent and the session is created. You click a link and the IP adress changes ? That's weird. Please define this "every time" a little more. Between screens/modules, app instances . |
Re: Session Hijacking
vjmaker78@gmail.com escreveu: > Here i am talking about a single person who when logs in through a > network gets the same messgae to give password again and again. > > This mechnism works well with session not been hijacked as it cross > check the session value+ipaddress everytime when a request comes. > > It basically creates a new string value of(session+ipaddress) stores > it.for cross checking. > > Network takes a new ip every time for a single person also for his > every new request. > an ultimately mismatch happens resulting in again asks for password > every time. > > Its like every time program read the ip address of system + session ID > and creates a new string value of it and cross check that value with > the value it gets at last with incoming reqest for tracing the original > > session.but as in network it takes different ip every time.So at last > mismatch happens. > > If you want further clarification can ask me more. > > Vj I do a lot of non traditional session work with web services - typically using java.util.UUID . Why do you attach the ip to your session ? If the session id is random - what advantage is there to trace it back to an ip or mac address. FWIW, version 1 UUIDs include a MAC address. Google for 'java.util.UUID mini-FAQ' if interested. HTH, robert http://www.braziloutsource.com/ |
Re: Session Hijacking
vjmaker78@gmail.com wrote:
> Here i am talking about a single person who when logs in through a > network gets the same messgae to give password again and again. Is it the expected behaviour or are you describing the problem ? Be clear. Make short sentences. > This mechnism works well with session not been hijacked as it cross > check the session value+ipaddress everytime when a request comes. Don't use hijacked without defining your understanding of it. Session hijack means somebody else from the network intercepts the communication and session and uses it to log on to the system. > It basically creates a new string value of(session+ipaddress) stores > it.for cross checking. OK, this is clear. > Network takes a new ip every time for a single person also for his > every new request. Please explain what protocol in place is changing the IP address of the client? Is it a mobile/pda application that disconnects from the network at every request? > an ultimately mismatch happens resulting in again asks for password > every time. Then maybe you shouldn't be using a IP+SessionId key to retrieve the Session. I don't know about the UUID proposed by 'iksrazal' but it sounds a good solution if the Mac address is used instead of the changing IP. -- JSC |
| All times are GMT. The time now is 11:48 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.