My current customer is concerned about the possibility of session hijacking and has proposed functionality to destroy a session if the IP address of a user changes. This is not a solution, since I can't seem to access the IP address. Browsing the forum, I found this thread, where Arjan mentions a new mechanism in 4.3.0 to prevent session hijacking, but the release notes do not mention anything. I have two questions: What mechanism has Mendix implemented to prevent session hijacking (if any)? Has anyone implemented their own protection against session hijacking?
Rom van Arendonk
IP adresses are not reliable as protection from session hijacking, because they can be forged easily.Besides they usually have no usable value if your apps are running behind load balancers and such (which is the case in the mendixcloud). Furthermore you would loose your session if your laptop or phone is roaming through different wireless networks.
Instead Mendix applies CSRF tokens to prevent session hijacking.