Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / February 2006

Tip: Looking for answers? Try searching our database.

Session Hijacking

Thread view: 
Enable EMail AlertsStart New Thread
vjmaker78@gmail.com - 09 Feb 2006 06:05 GMT
I am dealing with a situation where session has to maintained for a
person in network.but he is always facing problem .He has to give
password again for logging in.
problem is it is taking diffrenet IP address with every new request(as
in network).
how can i solve this problem by using some bits of ip
address(192.168.11.10 etc.).
Actully every time program read the ip address of system + session ID
and creates a new string value of it and cross check that value with
the value it gets at last with incoming reuest for tracing the original
session.but as in network it takes different ip every time.Soat last
mismatch happens.can by using some diffrent concept of using 8,16,24,32
any no of bits will solve this problem.I think google,yahoo works on
concept where ip is not very important etc.
Please give me some clues to proceed.

Vijendra
Reply to this Message
Andrea Desole - 09 Feb 2006 09:43 GMT
> I am dealing with a situation where session has to maintained for a
> person in network.but he is always facing problem .He has to give
[quoted text clipped - 11 lines]
> concept where ip is not very important etc.
> Please give me some clues to proceed.

It's not really clear. Are you saying you have to restore someone's
session after he logs in from another machine?
In that case serialize serialize your session information and save it
somewhere every time it changes. This doesn't consider the case, of
course, when two people are working at the same time with the same account
Reply to this Message
vjmaker78@gmail.com - 09 Feb 2006 10:12 GMT
Here i am talking about a single person who when logs in through a
network gets the same messgae to give password again and again.

This mechnism works well with session not been hijacked as it cross
check the session value+ipaddress everytime when a request comes.

It basically creates a new string value of(session+ipaddress) stores
it.for cross checking.

Network takes a new ip every time for a single person also for his
every new request.
an ultimately mismatch happens resulting in again asks for password
every time.

Its like every time program read the ip address of system + session ID
and creates a new string value of it and cross check that value with
the value it gets at last with incoming reqest for tracing the original

session.but as in network it takes different ip every time.So at last
mismatch happens.

If you want further clarification can ask me more.

Vj
Reply to this Message
impaler - 09 Feb 2006 10:24 GMT
> Network takes a new ip every time for a single person also for his
> every new request.
> an ultimately mismatch happens resulting in again asks for password
> every time.

You mean something like: you have a web app that has a login screen,
you log in, the IP is sent and the session is created. You click a link
and the IP adress changes ? That's weird.

Please define this "every time" a little more. Between screens/modules,
app instances .
Reply to this Message
iksrazal@gmail.com - 09 Feb 2006 12:27 GMT
> Here i am talking about a single person who when logs in through a
> network gets the same messgae to give password again and again.
[quoted text clipped - 20 lines]
>
> Vj

I do a lot of non traditional session work with web services -
typically using java.util.UUID . Why do you attach the ip to your
session ? If the session id is random - what advantage is there to
trace it back to an ip or mac address.

FWIW, version 1 UUIDs include a MAC address. Google for 'java.util.UUID
mini-FAQ' if interested.

HTH,
robert
http://www.braziloutsource.com/
Reply to this Message
JScoobyCed - 10 Feb 2006 00:33 GMT
> Here i am talking about a single person who when logs in through a
> network gets the same messgae to give password again and again.

Is it the expected behaviour or are you describing the problem ? Be
clear. Make short sentences.

> This mechnism works well with session not been hijacked as it cross
> check the session value+ipaddress everytime when a request comes.

Don't use hijacked without defining your understanding of it. Session
hijack means somebody else from the network intercepts the communication
and session and uses it to log on to the system.

> It basically creates a new string value of(session+ipaddress) stores
> it.for cross checking.

OK, this is clear.

> Network takes a new ip every time for a single person also for his
> every new request.

Please explain what protocol in place is changing the IP address of the
client? Is it a mobile/pda application that disconnects from the network
at every request?

> an ultimately mismatch happens resulting in again asks for password
> every time.

Then maybe you shouldn't be using a IP+SessionId key to retrieve the
Session. I don't know about the UUID proposed by 'iksrazal' but it
sounds a good solution if the Mac address is used instead of the
changing IP.

Signature

JSC

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.