Hi, On Tue, Sep 24, 2013 at 12:46 PM, Ronald Chmara <rona...@gmail.com> wrote:
> When you have a group of front-end termination points in a pool, proxying > requests off to hundreds of machines for thousands of applications, tying a > session to any IP is a headache. IMO, sessions are supposed to be tied to > users, not any given inbound IP that can, and may, jump between different > routers, proxies, NAT hosts, etc. Session is tied to specific user(browser) regardless of IP unless session ID is hijacked. Renewing session ID does not matter. Regenerating session ID when IP has changed would help users to notice session hijack. This is the sole purpose of regenerating session ID when IP has changed. I think only few apps do this now. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
