Session Hijacking

Discussion in 'Java' started by vjmaker78@gmail.com, Feb 9, 2006.

  1. Guest

    I am dealing with a situation where session has to maintained for a
    person in network.but he is always facing problem .He has to give
    password again for logging in.
    problem is it is taking diffrenet IP address with every new request(as
    in network).
    how can i solve this problem by using some bits of ip
    address(192.168.11.10 etc.).
    Actully every time program read the ip address of system + session ID
    and creates a new string value of it and cross check that value with
    the value it gets at last with incoming reuest for tracing the original
    session.but as in network it takes different ip every time.Soat last
    mismatch happens.can by using some diffrent concept of using 8,16,24,32
    any no of bits will solve this problem.I think google,yahoo works on
    concept where ip is not very important etc.
    Please give me some clues to proceed.

    Vijendra
     
    , Feb 9, 2006
    #1
    1. Advertising

  2. wrote:
    > I am dealing with a situation where session has to maintained for a
    > person in network.but he is always facing problem .He has to give
    > password again for logging in.
    > problem is it is taking diffrenet IP address with every new request(as
    > in network).
    > how can i solve this problem by using some bits of ip
    > address(192.168.11.10 etc.).
    > Actully every time program read the ip address of system + session ID
    > and creates a new string value of it and cross check that value with
    > the value it gets at last with incoming reuest for tracing the original
    > session.but as in network it takes different ip every time.Soat last
    > mismatch happens.can by using some diffrent concept of using 8,16,24,32
    > any no of bits will solve this problem.I think google,yahoo works on
    > concept where ip is not very important etc.
    > Please give me some clues to proceed.


    It's not really clear. Are you saying you have to restore someone's
    session after he logs in from another machine?
    In that case serialize serialize your session information and save it
    somewhere every time it changes. This doesn't consider the case, of
    course, when two people are working at the same time with the same account
     
    Andrea Desole, Feb 9, 2006
    #2
    1. Advertising

  3. Guest

    Here i am talking about a single person who when logs in through a
    network gets the same messgae to give password again and again.

    This mechnism works well with session not been hijacked as it cross
    check the session value+ipaddress everytime when a request comes.

    It basically creates a new string value of(session+ipaddress) stores
    it.for cross checking.

    Network takes a new ip every time for a single person also for his
    every new request.
    an ultimately mismatch happens resulting in again asks for password
    every time.

    Its like every time program read the ip address of system + session ID
    and creates a new string value of it and cross check that value with
    the value it gets at last with incoming reqest for tracing the original

    session.but as in network it takes different ip every time.So at last
    mismatch happens.

    If you want further clarification can ask me more.

    Vj
     
    , Feb 9, 2006
    #3
  4. impaler Guest

    > Network takes a new ip every time for a single person also for his
    > every new request.
    > an ultimately mismatch happens resulting in again asks for password
    > every time.


    You mean something like: you have a web app that has a login screen,
    you log in, the IP is sent and the session is created. You click a link
    and the IP adress changes ? That's weird.

    Please define this "every time" a little more. Between screens/modules,
    app instances .
     
    impaler, Feb 9, 2006
    #4
  5. Guest

    escreveu:

    > Here i am talking about a single person who when logs in through a
    > network gets the same messgae to give password again and again.
    >
    > This mechnism works well with session not been hijacked as it cross
    > check the session value+ipaddress everytime when a request comes.
    >
    > It basically creates a new string value of(session+ipaddress) stores
    > it.for cross checking.
    >
    > Network takes a new ip every time for a single person also for his
    > every new request.
    > an ultimately mismatch happens resulting in again asks for password
    > every time.
    >
    > Its like every time program read the ip address of system + session ID
    > and creates a new string value of it and cross check that value with
    > the value it gets at last with incoming reqest for tracing the original
    >
    > session.but as in network it takes different ip every time.So at last
    > mismatch happens.
    >
    > If you want further clarification can ask me more.
    >
    > Vj


    I do a lot of non traditional session work with web services -
    typically using java.util.UUID . Why do you attach the ip to your
    session ? If the session id is random - what advantage is there to
    trace it back to an ip or mac address.

    FWIW, version 1 UUIDs include a MAC address. Google for 'java.util.UUID
    mini-FAQ' if interested.

    HTH,
    robert
    http://www.braziloutsource.com/
     
    , Feb 9, 2006
    #5
  6. JScoobyCed Guest

    wrote:
    > Here i am talking about a single person who when logs in through a
    > network gets the same messgae to give password again and again.


    Is it the expected behaviour or are you describing the problem ? Be
    clear. Make short sentences.

    > This mechnism works well with session not been hijacked as it cross
    > check the session value+ipaddress everytime when a request comes.


    Don't use hijacked without defining your understanding of it. Session
    hijack means somebody else from the network intercepts the communication
    and session and uses it to log on to the system.

    > It basically creates a new string value of(session+ipaddress) stores
    > it.for cross checking.


    OK, this is clear.

    > Network takes a new ip every time for a single person also for his
    > every new request.


    Please explain what protocol in place is changing the IP address of the
    client? Is it a mobile/pda application that disconnects from the network
    at every request?

    > an ultimately mismatch happens resulting in again asks for password
    > every time.


    Then maybe you shouldn't be using a IP+SessionId key to retrieve the
    Session. I don't know about the UUID proposed by 'iksrazal' but it
    sounds a good solution if the Mac address is used instead of the
    changing IP.

    --
    JSC
     
    JScoobyCed, Feb 10, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    477
  2. Kevin

    Session Hijacking?

    Kevin, Oct 26, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    740
    Kevin
    Oct 27, 2004
  3. Hope Paka
    Replies:
    13
    Views:
    1,096
    =?Utf-8?B?RG9uYWxkIFNjb3R0?=
    Jul 15, 2005
  4. ead_no1
    Replies:
    0
    Views:
    2,972
    ead_no1
    Oct 21, 2006
  5. Robert Slaney

    XSS - Session hijacking

    Robert Slaney, Feb 5, 2009, in forum: ASP .Net Security
    Replies:
    2
    Views:
    1,026
    Steven Cheng
    Feb 5, 2009
Loading...

Share This Page