Hi,
I have prepared a patch proposal for a new verify_user_agent
configuration option. It is very similar to verify_address; it checks
whether the User-agent string from http request header has change since
session initialization.
I know that it is not bullet-proof on the other hand a regular user does
not change his/her User-agent string so often therefore it could
contribute a bit to mitigation of session hijacking attacks.
Please have a look at SVN (I have prepared also some .t and doc patch)
http://dev.catalystframework.org/repos/Catalyst/Catalyst-Plugin-Session/0.00/branches/verify_user_agent/
I would appreciate if you could consider merging my branche into trunk.
Thanks.
--
kmx
I have prepared a patch proposal for a new verify_user_agent
configuration option. It is very similar to verify_address; it checks
whether the User-agent string from http request header has change since
session initialization.
I know that it is not bullet-proof on the other hand a regular user does
not change his/her User-agent string so often therefore it could
contribute a bit to mitigation of session hijacking attacks.
Please have a look at SVN (I have prepared also some .t and doc patch)
http://dev.catalystframework.org/repos/Catalyst/Catalyst-Plugin-Session/0.00/branches/verify_user_agent/
I would appreciate if you could consider merging my branche into trunk.
Thanks.
--
kmx