|
|
|
|
|
|
by hn_throwaway_99
1405 days ago
|
|
|
> Compromised sessions is not necessarily a concern, unless the attacker has physical access to the location, since systems can detect if the location changes. E.g. Ip address change prompts the user. I don't think that's a valid approach anymore. FWIW I have coded these restrictions into auth tokens before (i.e. reject the auth token if it's from a new IP), but had to get rid of it because too many ISPs frequently change a user's IP address, especially mobile clients. |
|
|