To Avoid Session Hijacking after a user has logged In , what information can i rely on during login process to validate that indeed the legitimate user. So that someone who intercepts the session to relay will be invalidated
Are their Ip address and Browser Information good enough for it ?
Are their Ip address and Browser Information good enough for it ?
Definitely Not. The IP address can be spoofed and the browser can be retro-fitted to be a poor man's metasploit toolkit. See the Poster tool.
The OWASP project has very good pointers to protecting the session token and other good stuff relating to general web application security.
Trust NOTHING that didn't start from within your web application server's installation folder.