I’m looking to prevent session hijacking in my ASP.NET application and came across this great post by Jeff Prosise. However, it’s from 2004 and I was wondering if there have been any updates that either perform the same thing, or result in any complications? Also, has anyone used this on a production server and, if so, have there been any issues caused by this? The only problem that could affect my applications is if someone’s IP network changes in a short period of time, but I can’t imagine this being very likely.
Thanks
This is an interesting approach to session hardening but it does not stop session hijacking. This system has the same problem as HTTPOnly Cookies which is that an attacker can create requests from the victim’s browser using xss and there for the attacker doesn’t need to know the value of the session id.
This quote is taken from the article you linked to:
This raises the bar, but you still need to patch your XSS and CSRF vulnerabilities.