|
|
|
|
|
|
by Jeema3000
5616 days ago
|
|
|
Well here's one way I think would work, but it's not ideal and still not 100% foolproof: A) Keep a running counter between the server and client.
B) If, at any point, there are two active sessions both associated with the same user login, delete both sessions (thus logging out both the legitimate user and the attacker). Session hijacking is still possible with this method, but only for the duration of one request (as long as you, the legitimate user, remember to log out at the end). The main disadvantage is that if the request or response gets messed up, the session will be lost. Even if someone does something as simple as click a link twice before the response comes back, the session will be lost. So, yea, kind of a major usability drag... Although... you could probably eliminate most lost session situations by using the counter method and allowing some leeway in it (say 2 or 3 requests off) to take into account double link click scenarios. That might be a good compromise... |
|
|