Announcement Announcement Module
No announcement yet.
Check Session on Same IP Address Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Check Session on Same IP Address

    Is there a way of checking that the session has stayed on the same IP address - to stop someone stealing the cookie and hijacking the session from another IP address?

    I know how to put the IP address into the session - during authentication, but I don't know how to put in a hook that checks things during every page request.

  • #2
    You should be able to do this with a simple servlet filter which checks the IP address from the request against the original one.


    • #3
      Thanks, that would be a simple, obvious solution!

      If it fails I guess the answer is to put a redirect to the logout page in the response?

      Just out of interest does the 'hook' I mentioned exist in Spring Security - one that calls code when the authentication against the stored session is performed? I assume Spring security rechecks the credentials on each request - or does it just assume that everything is okay if a session with the authority merely exists?


      • #4
        The user is authenticated once for the session - thereafter the session token is what ties the user to the originally authenticated identity. The credentials aren't checked on each request - the request doesn't typically contain them, so how would they be checked?