This is JohanDam's Typepad Profile.
Join Typepad and start following JohanDam's activity
Join Now!
Already a member? Sign In
Recent Activity
Let's close this BOLD text first Session ID's are saved through cookies, so if your security is based on sessions, it is based on cookies. IP is pretty secure, but since the ip would come from the router / provider and not the computer, this adds nothing to prevent something like firesheep. Also, people who use AOL have dynamic IP's, which can change at every request, breaking every site with IP-Based security. User Agents are meh, it does add security, but not much. Personaly I make sure that IF a session gets stolen, a person can't do TOO much damage, highly personal data (like credit-data) is only shown partialy and nothing personal can be changed without a password. TL:DR A website can't do much to prevent session theft so it is better to assume every session will be stolen and make sure nothing can go to hell if that happens.
Toggle Commented Nov 15, 2010 on Breaking the Web's Cookie Jar at Coding Horror
JohanDam is now following The Typepad Team
Nov 15, 2010