Jan 27th, 2011, 11:28 AM
Check Session on Same IP Address
Is there a way of checking that the session has stayed on the same IP address - to stop someone stealing the cookie and hijacking the session from another IP address?
I know how to put the IP address into the session - during authentication, but I don't know how to put in a hook that checks things during every page request.
Jan 27th, 2011, 11:34 AM
You should be able to do this with a simple servlet filter which checks the IP address from the request against the original one.
Jan 28th, 2011, 01:51 AM
Thanks, that would be a simple, obvious solution!
If it fails I guess the answer is to put a redirect to the logout page in the response?
Just out of interest does the 'hook' I mentioned exist in Spring Security - one that calls code when the authentication against the stored session is performed? I assume Spring security rechecks the credentials on each request - or does it just assume that everything is okay if a session with the authority merely exists?
Jan 28th, 2011, 07:19 AM
The user is authenticated once for the session - thereafter the session token is what ties the user to the originally authenticated identity. The credentials aren't checked on each request - the request doesn't typically contain them, so how would they be checked?