Avoiding session hijacking in ASP.NET

I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.

Previously I had been storing the user's IP address in the session, then making sure in every subsequent reques开发者_开发百科t that the requesting IP was equal to the stored IP.

The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.

I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.

It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.

So, why would this approach be any more secure than the more simple approach that I had been using?

As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?

Thanks!

See this post: What is the best way to prevent session hijacking?

Basically, you should use HTTPS on your login page and any other "sensitive areas".