My proposed solution only ties the cookie to the IP, so the user will have to lo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		userbinator on May 7, 2014 \| parent \| context \| favorite \| on: When a bad day gets worse – getting hacked twice i... My proposed solution only ties the cookie to the IP, so the user will have to login again if their IP changes. But this means that even if an attacker who doesn't know the password gets a cookie, unless they have the same IP they wouldn't get access.

mnw21cam on May 7, 2014 [–]

What about people who are behind a proxy cluster, so each separate HTTP request may originate from a different IP address?

Assume nothing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact