> From: Zaki Akhmad [mailto:[email protected]]
> 2009/3/13 zhaoxueqing <[email protected]>:
>
> > jsessionid is the only way to indentity the user logined.
> > if you get it ,you are this user.
> > but? we can check others , for example IP!
Difficult, depending on your environment. Some ISPs run large proxy clusters,
meaning that different requests can appear to come from different IP addresses.
> But we can *still* do IP spoofing. Any other better recomendation?
Don't just use a non-varying shared secret (a password) as login information.
Instead, use client certificate authentication (distributed by non-network
means such as USB keys) and/or a SecurID token or similar. All of which pushes
the cost of security to the point that the application may be unworkable.
What is "good enough" for your application?
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
