Re: CSS, CSS & let me give you some more CSS

["Bill Pennington" <billp () boarder org>]

For any commercial site it is almost impossible to use any portion of the
address for "authentication" or non-repudiation. The main reason is AOL. The
last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
proxy "pods" for their netblocks. I would watch users hop from IP to IP and
sometime across entire subnets during a session. Now you could code your app
to break for AOL users but if you are a commercial entity that could present
a few problems.

The best use to IP address authentication is in a LAN environment where
users are far less likely to go address hoping.


----- Original Message -----
From: <info () elitesoft org>
To: "Obscure" <obscure () eyeonsecurity net>
Cc: "Joe Harrison" <list-general () ntlworld com>; "Securityfocus-Vulndev"
<vuln-dev () securityfocus com>
Sent: Friday, February 01, 2002 8:08 AM
Subject: RE: CSS, CSS & let me give you some more CSS


> If you use IP address for session cookie attacker can't use
> stolen cookie.
> However, you can't use IP address when BGP or Proxy are used.
> In this case the best protection is to change session cookie
> for each transaction using transaction counter.
> This will provide a transaction non-repudiation.
> If such session cookie is stolen and used by a hacker prior
> to a user, then user session will be blown away.
>
> Mike