-
Jan 27th, 2011, 11:28 AM
#1
Check Session on Same IP Address
Is there a way of checking that the session has stayed on the same IP address - to stop someone stealing the cookie and hijacking the session from another IP address?
I know how to put the IP address into the session - during authentication, but I don't know how to put in a hook that checks things during every page request.
-
Jan 27th, 2011, 11:34 AM
#2
You should be able to do this with a simple servlet filter which checks the IP address from the request against the original one.
-
Jan 28th, 2011, 01:51 AM
#3
Thanks, that would be a simple, obvious solution!
If it fails I guess the answer is to put a redirect to the logout page in the response?
Just out of interest does the 'hook' I mentioned exist in Spring Security - one that calls code when the authentication against the stored session is performed? I assume Spring security rechecks the credentials on each request - or does it just assume that everything is okay if a session with the authority merely exists?
-
Jan 28th, 2011, 07:19 AM
#4
The user is authenticated once for the session - thereafter the session token is what ties the user to the originally authenticated identity. The credentials aren't checked on each request - the request doesn't typically contain them, so how would they be checked?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Member
Reply With Quote