Friday, October 03, 2008

Protected sessions

Server side component lets you add additional security for your HTTP sessions. The idea is very transparent. As soon as a new session is created we can remember the IP address of the creator. And after that during the session life time this IP address must be the same. Otherwise (IP address has been changed) we can assume that session ID has been stolen. And all steps could be combined just in one servlets filter: Protected sessions.
Filter saves IP address for the fresh sessions and checks it for the sub-sequential requests after that.

No comments: