On Jan 20, 2011 2:50 PM, "Celejar" <celejar@gmail.com> wrote:
>
> On Thu, 20 Jan 2011 03:36:03 -0600
> Dave Sherohman <dave@sherohman.org> wrote:
>
> ...
>
> > Some sites do associate the originating IP address with the session data
> > to help protect against session hijacking, but this is not overly
> > widespread and, even when it is employed, it has issues with proxies
> > (which can cause multiple users to appear on a single address) or
> > reverse proxies (which can cause a single user to appear on multiple
> > addresses), so https really is the only surefire way to prevent it.
>
> And it also won't help against an attacker who can use your IP address,
> such as a MITM attacker from the local network segment.
>
Unless you give them a cert and then proxy their connection... you're not really breaking ssl there though. The handshake and encryption is still sound.