How do I protect my users from session hijacking?
+1
A:
From StackOverflow's creators blog
Preventing CSRF and XSRF Attacks
Found by Googling "Prevent csrf"
http://www.google.com/search?client=safari&rls=en&q=prevent+csrf&ie=UTF-8&oe=UTF-8
Christopher Altman
2010-04-15 19:58:06
Session riding is one of many attacks that can compromise a session.
Rook
2010-04-15 19:59:24
Good point, when I read this question my mind went immediately to cross site request forgery, but you are right, there are man in the middle and other attacks.
Christopher Altman
2010-04-15 20:00:45
+1
A:
One way that I know of is to check for consistancy in the ip address of the user. By this I meen checking that the current ip address match the ip address last used during the same session. This would however not stop session hijacking from someone using the same ip address.
RadiantHeart
2010-04-15 19:59:10
+3
A:
There are three sections in the Owasp Top 10 for 2010 that you should read.
1: (!!) A3: "Broken Authentication and Session Management." (!!)
2: "Cross Site Request Forgery" (XSRF)
3: "Cross Site Scripting" (XSS)
Rook
2010-04-15 20:01:03