published: January 29th, 2008
Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below:
The implications are obvious: devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. [...]