Re: Reality Check: Session Hijacking
From: Daniel Tryba (news_comp.lang.php_at_canopus.nl)
Date: 05/07/04
- Next message: Tony Marston: "Re: Disconnecting client browser from php file"
- Previous message: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- In reply to: R. Rajesh Jeba Anbiah: "Re: Reality Check: Session Hijacking"
- Next in thread: Average_Joe: "Re: Reality Check: Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 7 May 2004 12:38:37 +0000 (UTC)
R. Rajesh Jeba Anbiah <ng4rrjanbiah@rediffmail.com> wrote:
>> Sure, if you only look to the x-forwarded-for (or equiv) header you are
>> totally screwed.... with my own proxy/network I can put any IP address
>> in there I want :)
>
> Just curious... what is your proxy? and what will be the result of
> print_r($_SERVER) if your real ip is say x.y.z.a?
I'm running a simple squid setup, with my local network behind a nat
box (linux which also runs squid). So I can assign any network I want to
my localnet and it gets translated to x.y.a.z as the
$_SERVER['REMOTE_ADDR'], squid sees the request coming from my chosen
internal IP address d.e.f.g and puts that in $_SERVER['X-FORWARDED-FOR']
-- Daniel Tryba
- Next message: Tony Marston: "Re: Disconnecting client browser from php file"
- Previous message: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- In reply to: R. Rajesh Jeba Anbiah: "Re: Reality Check: Session Hijacking"
- Next in thread: Average_Joe: "Re: Reality Check: Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
