Re: Invision Power Board v2.1.4 - session hijacking
This report is ridiculous and quite frankly shows that the author does not
understand how IPB works.
Yes, the author is correct in finding that if you: copy the user's IP address,
copy the user's user-agent and copy the user's session ID then they can
"hijack" your session.
That's because, to all intents and purposes you are the same person.
A stateless HTTP application HAS to authenticate against SOMETHING.
This report is bogus. Feel free to relabel it "Stateless HTTP authentication
potential vulnerability" and remove it from Invision Power Board's category.