Re: Session Fixation

["Ian" <webappsec () fishnet co uk>]

On 1 Apr 2003 at 0:28, HarryM wrote:

> > Actually, I think suggesting to anyone that they invest in half-measures
> > when their time can be better spent elsewhere is even more damaging. On
> > the
> > one hand, I can see your argument: it raises the bar ever so slightly,
> > which is a good thing. But I don't think it's a good _enough_ thing.
> > Consider that most people implementing these systems _aren't_ experts.
> > They
> > understand IP, they understand networking, but they don't really think
> > about how to break things, so relying on IP seems "good enough". Giving
> > the
> > un-informed bad choices and telling them to get it right is a receipe for
> > disaster if ever I've seen one.
>
> One should never rely on IP for *anything* :-)
>
> I agree, except to say that I wouldn't consider it "investing in half
> measures" - at least, not the way I've coded it - since (a) it's one small
> measure among many other precautions taken (tamper-proof cookies, detection
> of scripted attacks, input validation, account lockouts, and so on) and (b),
> at ~5 lines of code, it's not much of an investment!
>
> I very much agree that it should be made known to as many people as possible
> that IP, in the context of web services, is unreliable as a means of
> identification, as silly as that may sound to the uninitiated, and that it
> should never be depended on for anything - least of all security.
>
> HarryM

Hi,

Has anyone put the Internet Explorer ^Super Cookie^ to use ?

For the particular app I am working on, I can guarantee that all the 
user are connecting with IE over ssl.  Plus they all (mainly) go 
through a router from the same LAN, thus appear to have the same IP.

I am currently logging the super cookie to try and determine if it 
really is unique enough.

Regards

Ian
--